Search the SharePoint Connector 1.7 documentation:
Index
[Downloads (PDF, HTML & XML formats)]
[Other versions]
This page is part of the installation guide for the Confluence SharePoint Connector. It tells you how to configure access to SharePoint using Integrated Windows Authentication (NTLM only). These instructions apply to SharePoint 2007.
On this page:
In this configuration, both Confluence and client browsers authenticate against SharePoint using Integrated Windows Authentication (NTLM only).
If you have not already seen our guide to planning your environment, you can refer to it for information that will help you select the best configuration for your environment.
When configuring authentication for a top-level SharePoint site, the SharePoint Central Administration application allows administrators to select Integrated Windows Authentication using NTLM or Kerberos (or both).
Due to the limited number of authentication methods supported by the SharePoint Connector's Java components (see the section on additional layers of security below), in order for a site collection to be accessible from Confluence, the NTLM authentication option must be selected.
If you are concerned about the possibility of password hashes sent from Confluence to SharePoint being captured and decoded by a third party, Atlassian recommends that you apply additional layers of security (such as HTTP Secure) if you use this configuration.
Because Confluence is written in Java, it has a dependency on the Sun Java Virtua Machine's (JVM's) internal NTLM implementation to decode NTLM challenge messages from the server and issue encoded NTLM responses. Our testing of the SharePoint Connector with recent versions of the Sun JVM (1.6.*) indicate that the JVM is only able to reliably work with the NTLM and LAN Manager (LM) Windows Authentication protocols. Newer (and more secure) protocols such as NTLMv2 and Kerberos are not supported in this configuration.
LM authentication and to a lesser extent, NTLM, are regarded as weak authentication mechanisms and there are widely accessible tools for deciphering passwords encrypted with LM and NTLM. Atlassian recommends that you apply additional layers of security (such as HTTP Secure) if you use this configuration.
If your Windows user accounts are stored in Active Directory, then the configuration steps listed here must be applied to all Domain Controllers. If your user accounts are local accounts on the SharePoint Server, then the configuration steps must be applied to your SharePoint server.
The LAN Manager Authentication Level controls what network authentication methods are supported by Windows clients and servers. The authentication level is controlled via a registry entry (called LMCompatibilityLevel) or a group policy setting (called Network Security: LAN Manager Authentication Level).
In order for Confluence to successfully authenticate against the SharePoint server, the LAN Manager Authentication Level must be set to one of the following values:
Registry Key Value |
Group Policy Value |
---|---|
0 |
Send LM & NTLM responses |
1 |
Send LM & NTLM - use NTLMv2 session security if negotiated |
2 |
Send NTLM response only |
3 |
Send NTLMv2 response only |
4 |
Send NTLMv2 response only. Refuse LM |
For more information on how to alter this setting and greater detail on what the value of each setting entails, please consult this Microsoft TechNet article.
Note that this registry value does not need to be modified on the Confluence server. Confluence uses a Java HTTP client that is unaware of the Windows configuration.
Using an unsupported LAN Manager Authentication Level will have the following results:
HTTP 401.1 Unauthorised: Access is denied due to invalid credentials
'.org.apache.cxf.Interceptor.Fault: Could not send Message
'.We strongly recommend that you restart your SharePoint server after applying any of these configuration settings in order to ensure that they take effect.
Additionally, changes to your group policy may take a short while to propagate through your domain. Please keep this in mind when testing your configuration.
To continue with the installation of the SharePoint Connector, please install and configure the Confluence plugins.