Authentication with AD Forest

FD Moore January 17, 2020

This is my first go with Atlassian products. I have setup Jira, Confluence and Bitbucket to point to our local domain AD.  All of that works fine. 

I know Crowd supports SSO.  But right now I only have it working for accounts that are in the local AD domain.  We have a number of AD domains in a trusted forest that I want to use.  Is there a way, and if so, how, that I can authenticate across all of the domains in our AD forest?  For example, we have domains like us.co, ca.co, eu.co, that all are in a trusted AD domain forest.  I want to set it so that user1@eu.co can authenticate and user our software in the us.co domain.  

Do I have to setup different ldap directories for them in addition to my us.co connector?  If so, what user account do I use to authenticate to that domain?  The point of having a trusted forest is that in AD we can see other domain users and we can login to each other's domains using our own local domain accounts (e.g. I can logon to a ca.co workstation using my user1@us.co credentials).  Of course, we don't have administrator credentials on each other's domains, that defeats the purpose of the trusted domain scheme.  So how can I incorporate all of our trusted domains into our Crowd authentication so that everyone in all of the domains in the forest can use our software?

Thanks in advance!

1 answer

0 votes
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 17, 2020

Hi @FD Moore 

You just need to configure an LDAP directory connector (of type Active Directory) in Crowd that points to the Global Catalog of your AD forest on LDAP port (3268) or LDAPS port (3269). You will thus see all your AD forest users and global groups in Crowd.

(Please note that Global Catalog requests are read only so you won't be able to delete/update your AD forest users and global groups from Crowd itself.)

Hope this helps!

FD Moore January 21, 2020

Awesome, thanks Bruno!  I don't need credentials in their domains?

Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 21, 2020

No you don't because you will create only one directory in Crowd that points to the Global Catalog of your AD forest. You need to reach out to an AD administrator of the root domain of the AD forest and ask them to provide you with the fully qualified domain name of a GC server (not all domain controllers are GC servers so you need to make sure that you request the right one). Then make sure that there is no firewall rule blocking connections from your Crowd server to that GC server on port 3269 (assuming that you will actually use the LDAPS port). As far as I remember any account in the forest should be able to send read-only LDAP requests to the GC server but you might want to double check that with the domain administrator of the root domain as well. Maybe they need to create a specific service account in the root domain for this.

FD Moore January 21, 2020

Thanks again Bruno for the quick help!

Ok, so this is where I am, which is where you suggested.  I was in the right place, but I'm obviously missing the critical link.  So here is our scenario:

One forest, 3 domains:  a.co, b.co, c.co

My domain is a.co.  dsquery -forest -igcl shows all my DCs as having the GC.  so in the Directory Connector I point the URL to the GC: ldap://dc1.a.co:3268.  FYI - I am the admin of the forest and I have the FQDN of the GC, which happens to be all of our domain controller (dc1.a.co).

I think it's the base DN that is giving me problems, or maybe not...  What should I specify for that?  Is it "OU=CO" since it's forest level root?  The connector works, but then the sync is what's failing, throwing ldap errors.  If I use the Base DN as our a.co domain it's only going to find our a.co accounts, not other domain's accounts in the forest. Each domain has their AD users in a different OU (e.g. ours is Dev Users, theirs is Test Users, etc.).  Again, the forest level is .co, and under it are the 3 domains, a.co, b.co, and c.co, with each domain having their own respective domain controllers.

Is there documentation on how to setup Crowd for forest authentication?  As I said, I'm new to Atlassian.  We were told that Crowd will provide this functionality, and it's the only reason why we bought Crowd, so this is the part I have to have working.

Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 21, 2020

Yes, according to Microsoft's documentation, you need to bind to the root level of your forest, "DC=CO".

It is hard to tell what is going wrong with the LDAP errors as I can't see them myself, but yes Crowd does support AD forests and GC as Atlassian even mentions those in the technical documentation of Crowd's LDAP connector (as you can see on that page they provide two recommendations in such cases).

Alternatively, if the GC scenario does not work for you, you can create 3 distinct directory connectors in Crowd, pointing to each domain's domain controller. You will then need to add those 3 directories as authorised directories for each application in Crowd. 3 domains is not a huge, so this won't be too tedious in the end. If you had a forest with like 15 domains, I would definitely insist on the GC scenario.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events