Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Authentication with AD Forest

This is my first go with Atlassian products. I have setup Jira, Confluence and Bitbucket to point to our local domain AD.  All of that works fine. 

I know Crowd supports SSO.  But right now I only have it working for accounts that are in the local AD domain.  We have a number of AD domains in a trusted forest that I want to use.  Is there a way, and if so, how, that I can authenticate across all of the domains in our AD forest?  For example, we have domains like,,, that all are in a trusted AD domain forest.  I want to set it so that can authenticate and user our software in the domain.  

Do I have to setup different ldap directories for them in addition to my connector?  If so, what user account do I use to authenticate to that domain?  The point of having a trusted forest is that in AD we can see other domain users and we can login to each other's domains using our own local domain accounts (e.g. I can logon to a workstation using my credentials).  Of course, we don't have administrator credentials on each other's domains, that defeats the purpose of the trusted domain scheme.  So how can I incorporate all of our trusted domains into our Crowd authentication so that everyone in all of the domains in the forest can use our software?

Thanks in advance!

1 answer

Hi @FD Moore 

You just need to configure an LDAP directory connector (of type Active Directory) in Crowd that points to the Global Catalog of your AD forest on LDAP port (3268) or LDAPS port (3269). You will thus see all your AD forest users and global groups in Crowd.

(Please note that Global Catalog requests are read only so you won't be able to delete/update your AD forest users and global groups from Crowd itself.)

Hope this helps!

Awesome, thanks Bruno!  I don't need credentials in their domains?

No you don't because you will create only one directory in Crowd that points to the Global Catalog of your AD forest. You need to reach out to an AD administrator of the root domain of the AD forest and ask them to provide you with the fully qualified domain name of a GC server (not all domain controllers are GC servers so you need to make sure that you request the right one). Then make sure that there is no firewall rule blocking connections from your Crowd server to that GC server on port 3269 (assuming that you will actually use the LDAPS port). As far as I remember any account in the forest should be able to send read-only LDAP requests to the GC server but you might want to double check that with the domain administrator of the root domain as well. Maybe they need to create a specific service account in the root domain for this.

Thanks again Bruno for the quick help!

Ok, so this is where I am, which is where you suggested.  I was in the right place, but I'm obviously missing the critical link.  So here is our scenario:

One forest, 3 domains:,,

My domain is  dsquery -forest -igcl shows all my DCs as having the GC.  so in the Directory Connector I point the URL to the GC: ldap://  FYI - I am the admin of the forest and I have the FQDN of the GC, which happens to be all of our domain controller (

I think it's the base DN that is giving me problems, or maybe not...  What should I specify for that?  Is it "OU=CO" since it's forest level root?  The connector works, but then the sync is what's failing, throwing ldap errors.  If I use the Base DN as our domain it's only going to find our accounts, not other domain's accounts in the forest. Each domain has their AD users in a different OU (e.g. ours is Dev Users, theirs is Test Users, etc.).  Again, the forest level is .co, and under it are the 3 domains,,, and, with each domain having their own respective domain controllers.

Is there documentation on how to setup Crowd for forest authentication?  As I said, I'm new to Atlassian.  We were told that Crowd will provide this functionality, and it's the only reason why we bought Crowd, so this is the part I have to have working.

Yes, according to Microsoft's documentation, you need to bind to the root level of your forest, "DC=CO".

It is hard to tell what is going wrong with the LDAP errors as I can't see them myself, but yes Crowd does support AD forests and GC as Atlassian even mentions those in the technical documentation of Crowd's LDAP connector (as you can see on that page they provide two recommendations in such cases).

Alternatively, if the GC scenario does not work for you, you can create 3 distinct directory connectors in Crowd, pointing to each domain's domain controller. You will then need to add those 3 directories as authorised directories for each application in Crowd. 3 domains is not a huge, so this won't be too tedious in the end. If you had a forest with like 15 domains, I would definitely insist on the GC scenario.

Suggest an answer

Log in or Sign up to answer

Atlassian Community Events