Configuring Confluence to use JCIFS for NTLM Authentication
This page is an addendum to the installation guide for the Confluence SharePoint Connector. It has notes on configuring access to Confluence using Integrated Windows Authentication via JCIFS.
JCIFS is not supported. Please use Jespa instead.
This configuration is not supported. We are supplying the instructions because some people are using this configuration, but please note that the JCIFS documentation itself deprecates the configuration. We recommend the use of Jespa instead. See our guide to configuring Confluence to use Jespa for NTLM authentication.
On this page:
Overview
In this configuration both SharePoint and client browsers are authenticated against Confluence using Windows authentication provided by JCIFS, a third-party implementation written in Java.
If you have not already seen our guide to planning your environment, you can refer to it for information that will help you select the best configuration for your environment.
About JCIFS
JCIFS is an Open Source client library that implements the CIFS/SMB networking protocol in 100% Java. CIFS is the standard file-sharing protocol on the Microsoft Windows platform. The JCIFS library also includes a Servlet Filter that allows support for NTLM authentication over HTTP. For more information, visit the JCIFS website.
Authentication Methods
JCIFS supports the following Windows authentication methods:
- LM
- NTLMv1
- NTLM2 Session Security (Maybe?)
- LMv2
Feature Deprecation
This text is taken from the JCIFS website:
IMPORTANT: All HTTP related code and corresponding documentation in JCIFS is not supported, no longer maintained and will be removed because it is broken and obsolete (and because HTTP has nothing to do with CIFS). This page remains only for informational purposes and for legacy users.
The HTTP "filter" in particular uses a "man in the middle" technique that cannot support NTLMv2. Since late 2008, users have started to report that client security policy is requiring NTLMv2 and that this solution no longer works.
For this reason and others described in this post , this feature will be removed from the JCIFS package.Currently we recommend using Jespa which properly implements NLTMv2 server side authentication and includes an advanced NTLMv2 HTTP SSO Servlet Filter.
Installation Notes
We have tested JCIFS 1.3.14.
1. Download latest jar from http://jcifs.samba.org/src/ and place in Confluence (\confluence\WEB-INF\lib)
2. Add the attached file named "customauth-0.4.jar" to Confluence (\confluence\WEB-INF\lib)
The customauth-0.4.jar is heavily based on the code for the "Apache custom Seraph authenticator for Confluence"
The configuration for the customauth-0.4.jar is also based on the information related to the "NTLM Authenticator for Confluence" (particularly the reference to LDAP User Management).
3. Configure Confluence with LDAP User Management
See the attached "atlassian-user.xml" for an example integration with Active Directory.
Customizing atlassian-user.xml also contains excellent information to help understand how to edit this file.
4. Test access to Confluence using current "Login" page with both Active Directory accounts and non-Active Directory accounts
You will need to configure the Active Directory accounts to have appropriate permissions in Confluence (i.e.: adding to the confluence-users group)
5. Update \confluence\web-inf\web.xml to contain additional filter settings to support JCIFS
See JCIFS NTLM HTTP Authentication for more filter examples.
5a. Add the following filter as the last filter before <filter-mapping>
You will need to change the values to match your specific environment.
<filter>
<filter-name>NtlmHttpFilter</filter-name>
<filter-class>jcifs.http.NtlmHttpFilter</filter-class>
<init-param>
<param-name>jcifs.http.domainController</param-name>
<param-value>PLACE DOMAIN CONTROLLER IP ADDRESS HERE</param-value>
</init-param>
<!--
always needed for preauthentication / SMB signatures
-->
<init-param>
<param-name>jcifs.smb.client.domain</param-name>
<param-value>PLACE DOMAIN NAME HERE (e.g., mydomain.local)</param-value>
</init-param>
<init-param>
<param-name>jcifs.smb.client.username</param-name>
<param-value>PLACE DOMAIN ACCOUNT HERE (do not prefix with "<domain>\")</param-value>
</init-param>
<init-param>
<param-name>jcifs.smb.client.password</param-name>
<param-value>PLACE DOMAIN PASSWORD HERE</param-value>
</init-param>
</filter>
5b. Add the following filter-mapping just before the "login" filter-mapping
<filter-mapping>
<filter-name>NtlmHttpFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
6. Update Confluence to use Custom Authenticator
By default, Confluence will not understand the pre-authenticated requests that come through via a Single Sign-On solution (such as Jespa or an IIS proxy). In order to allow this authentication information to pass through, you must modify the authenticator module used by Confluence.
Download the latest SharePoint Connector custom authenticator appropriate for your version of Confluence (see the below table):
Confluence 4.3.x and earlier Confluence 5.0.x to 5.4.x Confluence 5.5 and later customauth-0.6.jar customauth-1.0.jar customauth-1.1.jar - Copy the downloaded 'customauth-x.x.jar' to your
%confluence_install%\confluence\WEB-INF\libdirectory. - Edit the
%confluence_install%\WEB-INF\classes\seraph-config.xmlfile. Locate the Authenticator element and replace it with the following (you may wish to backup the file in case you wish to revert to the original configuration):
<authenticator class="com.pixelpark.seraph.SSOAuthenticator" />- Save your changes and close the file.
- Restart Confluence and ensure that the server initializes successfully.