Configuring Confluence to use Jespa for NTLM Authentication

Applying Specific Confluence Configurations

On this page

Related content

Still need help?

The Atlassian Community is here for you.

Ask the community

This page is part of the installation guide for the Confluence SharePoint Connector. It tells you how to configure access to Confluence using Integrated Windows Authentication via a third-party software package called Jespa.

tip/resting Created with Sketch.

Supportability

This document applies for Sharepoint Connector license holders only. For any Jespa specific issues and support please contact IOPLEX

On this page:

Installation

Step 1. Hook Confluence up to Active Directory

Configure Confluence to synchronize its user repository with the Active Directory domain. See the Confluence documentation on LDAP user management.

Step 2. Download and Install Jespa

  1. Download the Jespa package from the IOPlex website.
  2. Download the latest version of JCIFS from the Samba website: http://jcifs.samba.org/src/jcifs-1.3.17.zip
  3. Follow the Installation instructions in the Jespa technical documentationto install Jespa into your Confluence web app. Note that you need to follow the full installation guide for Jespa, which includes:
    1. Creating a computer account in the target Active Directory domain for Jespa to authenticate with.
    2. Testing your Jespa configuration with the Jespa example application provided.

Step 3. Configure Confluence

  1. Copy the Jespa and JCIFS libraries (the 'jar' files) from the downloaded zip files into your %confluence_install%/confluence/WEB-INF/lib directory.
  2. Open the %confluence_install%/confluence/WEB-INF/web.xmlfile in a text editor, and make the following modifications to the file:

    1. Locate the section of the file that contains a <filter> with a <filter-name> set to 'login'. Immediately after this login filter, add a new <filter> for Jespa. You should copy the contents of the Jespa <filter> in the example application used in step 2, once the example application is able to authenticate correctly. The changed web.xmlfile should look like this:

      web.xml 
      <filter>
        <filter-name>login</filter-name>
        <filter-class>com.atlassian.seraph.filter.LoginFilter</filter-class>
    </filter>

    <filter>
        <filter-name>jespa</filter-name>
        <filter-class>jespa.http.HttpSecurityFilter</filter-class>

        <init-param>
            <param-name>jespa.log.path</param-name>
            <!-- Enter the path to where you would like the Jespa log to be stored -->
            <param-value>C:\confluence-data\logs\jespa.log</param-value>
        </init-param>

        <init-param>
            <param-name>jespa.log.level</param-name>
            <param-value>2</param-value>
        </init-param>

        <init-param>
            <param-name>jespa.bindstr</param-name>
            <!-- Enter the fully-qualified name of your Active Directory domain -->
            <param-value>atlassian.com</param-value>
        </init-param>

        <init-param>
            <param-name>jespa.service.acctname</param-name>
            <!-- Enter the name of the computer account created in Step 2, followed by the '$' sign, followed by the fully-qualified name of your Active Directory domain -->
            <param-value>CONFLUENCE$@atlassian.com</param-value>
        </init-param>

        <init-param>
            <param-name>jespa.service.password</param-name>
            <!-- Enter the password for the Jespa service account, which was set in Step 2. -->
            <param-value>JCnckGJHDSd28c7Nc</param-value>
        </init-param>

        <!-- Note: also copy over all other default Jespa parameter values from the example web.xml -->
    </filter>

    2. Locate the section of the file that contains a <filter-mapping> with a <filter-name> set to 'login'. Immediately before this filter mapping, add a new <filter-mapping> for Jespa. The changed web.xmlfile should look like this:

      web.xml 
      <filter-mapping>
        <filter-name>jespa</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter-mapping>
        <filter-name>login</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

Step 4. Add Custom Authenticator

By default, Confluence will not understand the pre-authenticated requests that come through via a Single Sign-On solution (such as Jespa or an IIS proxy). In order to allow this authentication information to pass through, you must modify the authenticator module used by Confluence.

  1. Download the latest SharePoint Connector custom authenticator appropriate for your version of Confluence (see the below table):

    Confluence 4.3.x and earlierConfluence 5.0.x to 5.4.xConfluence 5.5 and later
    customauth-0.6.jarcustomauth-1.0.jarcustomauth-1.1.jar
  2. Copy the downloaded 'customauth-x.x.jar' to your %confluence_install%\confluence\WEB-INF\lib directory.
  3. Edit the %confluence_install%\WEB-INF\classes\seraph-config.xml file.

  4. Locate the Authenticator element and replace it with the following (you may wish to backup the file in case you wish to revert to the original configuration):

    <authenticator class="com.pixelpark.seraph.SSOAuthenticator" />
  5. Save your changes and close the file.
  6. Restart Confluence and ensure that the server initializes successfully.

Step 5. Set Client Browser Options

In order for users to be automatically logged in to Confluence without being prompted for their username and password, the browser must be correctly configured for pass-through authentication.

Please instruct all users to ensure that the recommended browser settings are applied.

RELATED TOPICS

Last modified on May 27, 2016

Was this helpful?

Yes
No
Provide feedback about this article

Related content

Powered by Confluence and Scroll Viewport.