This documentation relates to an earlier version of the SharePoint Connector.
View

Unknown macro: {spacejump}

or visit the current documentation home.

This page is an addendum to the installation guide for the Confluence SharePoint Connector. It has notes on configuring access to Confluence using Integrated Windows Authentication via JCIFS.

JCIFS is not supported. Please use Jespa instead.

This configuration is not supported. We are supplying the instructions because some people are using this configuration, but please note that the JCIFS documentation itself deprecates the configuration. We recommend the use of Jespa instead. See our guide to configuring Confluence to use Jespa for NTLM authentication.

On this page:

Overview

In this configuration both SharePoint and client browsers are authenticated against Confluence using Windows authentication provided by JCIFS, a third-party implementation written in Java.

If you have not already seen our guide to planning your environment, you can refer to it for information that will help you select the best configuration for your environment.

About JCIFS

JCIFS is an Open Source client library that implements the CIFS/SMB networking protocol in 100% Java. CIFS is the standard file-sharing protocol on the Microsoft Windows platform.  The JCIFS library also includes a Servlet Filter that allows support for NTLM authentication over HTTP. For more information, visit the JCIFS website.

Authentication Methods

JCIFS supports the following Windows authentication methods:

  • LM
  • NTLMv1
  • NTLM2 Session Security (Maybe?)
  • LMv2

Feature Deprecation

This text is taken from the JCIFS website:

IMPORTANT: All HTTP related code and corresponding documentation in JCIFS is not supported, no longer maintained and will be removed because it is broken and obsolete (and because HTTP has nothing to do with CIFS). This page remains only for informational purposes and for legacy users.

The HTTP "filter" in particular uses a "man in the middle" technique that cannot support NTLMv2. Since late 2008, users have started to report that client security policy is requiring NTLMv2 and that this solution no longer works.

For this reason and others described in this post , this feature will be removed from the JCIFS package.Currently we recommend using Jespa which properly implements NLTMv2 server side authentication and includes an advanced NTLMv2 HTTP SSO Servlet Filter.

Installation Notes

We have tested JCIFS 1.3.14.

1. Download latest jar from http://jcifs.samba.org/src/ and place in Confluence (\confluence\WEB-INF\lib) 
2. Add the attached file named "customauth-0.4.jar" to Confluence (\confluence\WEB-INF\lib)

The customauth-0.4.jar is heavily based on the code for the "Apache custom Seraph authenticator for Confluence"

The configuration for the customauth-0.4.jar is also based on the information related to the "NTLM Authenticator for Confluence" (particularly the reference to LDAP User Management).

3. Configure Confluence with LDAP User Management

See the attached "atlassian-user.xml" for an example integration with Active Directory.

Customising atlassian-user.xml  also contains excellent information to help understand how to edit this file.

4. Test access to Confluence using current "Login" page with both Active Directory accounts and non-Active Directory accounts

You will need to configure the Active Directory accounts to have appropriate permissions in Confluence (i.e.: adding to the confluence-users group)

5. Update \confluence\web-inf\web.xml to contain additional filter settings to support JCIFS

See JCIFS NTLM HTTP Authentication for more filter examples.

5a. Add the following filter as the last filter before <filter-mapping>

You will need to change the values to match your specific environment.

Filter
<filter>
     <filter-name>NtlmHttpFilter</filter-name>
     <filter-class>jcifs.http.NtlmHttpFilter</filter-class>

     <init-param>
	<param-name>jcifs.http.domainController</param-name>
	<param-value>PLACE DOMAIN CONTROLLER IP ADDRESS HERE</param-value>
     </init-param>

     <!--
	always needed for preauthentication / SMB signatures
     -->
     <init-param>
	<param-name>jcifs.smb.client.domain</param-name>
	<param-value>PLACE DOMAIN NAME HERE (e.g., mydomain.local)</param-value>
     </init-param>
     <init-param>
	<param-name>jcifs.smb.client.username</param-name>
	<param-value>PLACE DOMAIN ACCOUNT HERE (do not prefix with "<domain>\")</param-value>
     </init-param>
     <init-param>
	<param-name>jcifs.smb.client.password</param-name>
	<param-value>PLACE DOMAIN PASSWORD HERE</param-value>
     </init-param>
</filter>
5b. Add the following filter-mapping just before the "login" filter-mapping
Filter-Mapping
<filter-mapping>
     <filter-name>NtlmHttpFilter</filter-name>
     <url-pattern>/*</url-pattern>
</filter-mapping>
6. Set the <authenticator> in the "\confluence\WEB-INF\classes\seraph-config.xml" file to the following
    <authenticator class="com.pixelpark.seraph.SSOAuthenticator"/>
RELATED TOPICS
  • No labels