Access SharePoint using Integrated Windows Authentication (NTLM Only) with SP 2013

Configuring Access to SharePoint with SP 2013

On this page

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

This page is part of the installation guide for the Confluence SharePoint Connector. It tells you how to configure access to SharePoint using Integrated Windows Authentication (NTLM only). These instructions apply to the connector for SharePoint 2010.

On this page:

Overview

In this configuration, both Confluence and client browsers authenticate against SharePoint using Integrated Windows Authentication (NTLM only).

Use this Configuration when...
  • Confluence is not running on a Windows server. (If Confluence is running on Windows, you can use full IWA.)
  • There is minimal risk of eavesdropping on the network traffic from Confluence to SharePoint. Examples of scenarios involving minimal risk include:
    • The Confluence and SharePoint applications are on the same physical server. (For production use, we recommend that you run Confluence and SharePoint on separate machines, but you may choose to run them on the same server for evaluation purposes.)
    • The SharePoint site(s) are accessed using HTTP Secure (HTTPS).
    • The Confluence and SharePoint servers are on a private network segment.

If you have not already seen our guide to planning your environment, you can refer to it for information that will help you select the best configuration for your environment.

Caveats

NTLM Only

When configuring authentication for a top-level SharePoint site, the SharePoint Central Administration application allows administrators to select Integrated Windows Authentication using NTLM or Kerberos (or both).

Due to the limited number of authentication methods supported by the SharePoint Connector's Java components (see the section on additional layers of security below), in order for a site collection to be accessible from Confluence, the NTLM authentication option must be selected.

Additional Layers of Security

If you are concerned about the possibility of password hashes sent from Confluence to SharePoint being captured and decoded by a third party, Atlassian recommends that you apply additional layers of security (such as HTTP Secure) if you use this configuration.

Because Confluence is written in Java, it has a dependency on the Sun Java Virtua Machine's (JVM's) internal NTLM implementation to decode NTLM challenge messages from the server and issue encoded NTLM responses. Our testing of the SharePoint Connector with recent versions of the Sun JVM (1.6.*) indicate that the JVM is only able to reliably work with the NTLM and LAN Manager (LM) Windows Authentication protocols.  Newer (and more secure) protocols such as NTLMv2 and Kerberos are not supported in this configuration.

LM authentication and to a lesser extent, NTLM, are regarded as weak authentication mechanisms and there are widely accessible tools for deciphering passwords encrypted with LM and NTLM. Atlassian recommends that you apply additional layers of security (such as HTTP Secure) if you use this configuration.

Installation Instructions

Domain or Local?

If your Windows user accounts are stored in Active Directory, then the configuration steps listed here must be applied to all Domain Controllers. If your user accounts are local accounts on the SharePoint Server, then the configuration steps must be applied to your SharePoint server.

LAN Manager Authentication Level

The LAN Manager Authentication Level controls what network authentication methods are supported by Windows clients and servers. The authentication level is controlled via a registry entry (called LMCompatibilityLevel) or a group policy setting (called Network Security: LAN Manager Authentication Level).

In order for Confluence to successfully authenticate against the SharePoint server, the LAN Manager Authentication Level must be set to one of the following values:

Registry Key Value

Group Policy Value

0

Send LM & NTLM responses

1

Send LM & NTLM - use NTLMv2 session security if negotiated

2

Send NTLM response only

3

Send NTLMv2 response only

4

Send NTLMv2 response only. Refuse LM

For more information on how to alter this setting and greater detail on what the value of each setting entails, please consult this Microsoft TechNet article.

Note that this registry value does not need to be modified on the Confluence server. Confluence uses a Java HTTP client that is unaware of the Windows configuration.

Symptoms of Unsupported LM Authentication Level

Using an unsupported LAN Manager Authentication Level will have the following results:

  • SharePoint will return an error: 'HTTP 401.1 Unauthorised: Access is denied due to invalid credentials'.
  • The error message you may see in Confluence is: 'org.apache.cxf.Interceptor.Fault: Could not send Message'.

Reboot Your SharePoint Server

We strongly recommend that you restart your SharePoint server after applying any of these configuration settings in order to ensure that they take effect.

Additionally, changes to your group policy may take a short while to propagate through your domain. Please keep this in mind when testing your configuration.

Next Step

To continue with the installation of the SharePoint Connector, please install and configure the Confluence plugins.

Last modified on Jun 24, 2013

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.