If you connect Confluence 3.5+ to Crowd using the connector, and Crowd is backing Confluence with a delegated LDAP directory, a user that is not in the directory will always fail their first login and will not be able to authenticate until the connector syncs.
Delegated LDAP Directory pointing to Apache DS
Delegated LDAP Directory pointing to MSAD
User jsmith exists in LDAP, but not yet in Crowd. User attempts to login to Confluence. The user it told that their username or password is incorrect. On the Crowd side, the user will be added to the directory successfully, but will continue to fail auth in Confluence until the directory sync with Crowd occurs.
This only happens when using the com.atlassian.confluence.user.ConfluenceCrowdSSOAuthenticator class. If you are using the default Confluence authenticator class in your serap-config.xml, it works as expected. The user jsmith will attempt to login to Confluence and will be added to Crowd and Confluence.