Sorry, didn't realize I was in a Crowd bug. The above was for JIRA, but may be helpful here too.

I was able to get integrated authentication to work (after installing initially to a temp database using mixed-mode).

Note: Make sure you stop JIRA before doing this.

First I changed my dbconfig.xml (in JIRA home directory) to have the following:

<url>jdbc:sqlserver://SERVER;databaseName=JIRADATABASE;integratedSecurity=true</url>
<driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>

I then downloaded the Microsoft SQL Server JDBC Driver 2.0 from here: http://www.microsoft.com/en-us/download/details.aspx?id=2505
Once you extract the files from that, copy sqljdbc4.jar into the "lib" folder in the JIRA install (not home) directory.
Then, you'll want to find the appropriate dll file from the "auth" folder (within the files extracted above) called "sqljdbc_auth.dll". Copy that into c:\windows\system32. Make sure you choose the right file for your system (i.e. x86 = 32-bit).

That's it. I restarted JIRA and it worked.

I'm not sure why David suggested installing the SSO support for it. In my understanding SSO needs to be installed only if you don't want to provide user/password and use the OS service user to authenticate the connection.

http://jtds.sourceforge.net/faq.html#urlFormat

domain
Specifies the Windows domain to authenticate in. If present and the user name and password are provided, jTDS uses Windows (NTLM) authentication instead of the usual SQL Server authentication (i.e. the user and password provided are the domain user and password). This allows non-Windows clients to log in to servers which are only configured to accept Windows authentication.
If the domain parameter is present but no user name and password are provided, jTDS uses its native Single-Sign-On library and logs in with the logged Windows user's credentials (for this to work one would obviously need to be on Windows, logged into a domain, and also have the SSO library installed – consult README.SSO in the distribution on how to do this).

My understanding is that, if you are OK with providing tomcat AD user/password, the only required change is the domain parameter in JDBC URL .

Rats. CWD-1684 - which I've just created - will need to be implemented to allow IWA properly then.

The problem with this is that the setup wizard for Crowd does not let you leave the username and password fields blank. Yes, you could do this through the config with the jTDS driver IF you could get past the "Setup Database" screen in the installation wizard. I'm assuming also that this can be done easily with the WAR/EAR installation method, but the standalone does not work. Does anyone know if Crowd will create the database tables if they aren't there, or if this is only done on the setup screen in the standalone?

If you're using the jTDS driver on a Windows box, there should be a way to make this work:

1. Install the native Single-Sign-On DLL (check README.SSO in the jTDS package for instructions)
2. Add a parameter to the JDBC url of the form ;domain=X, where X is the domain you want to sign into.

This should enable IWA authentication to the SQL Server database. See the jTDS FAQ for more.

Note: this configuration is untested and is based solely on reading jTDS' documentation. Let us know if it works