Page tree
Skip to end of metadata
Go to start of metadata

Redirection Notice

This page is part of the installation guide for the Confluence SharePoint Connector. It tells you how to configure access to Confluence using Integrated Windows Authentication via IIS.

This section of the guide describes the steps necessary to set up an IIS website that will perform authentication using NTLM or Kerberos, and then forward the authenticated requests to the Confluence instance. You will do this by installing a custom ISAPI filter in IIS that understands how to use the AJP protocol (Apache JServ Protocol) to communicate with Confluence.

On this page:

Installation

Step 1. Install and Configure the AJP Connector

  1. Download the latest Tomcat Connector ISAPI Filter binaries from the download page on apache.org, ensuring that you select the version that is appropriate for your operating system and CPU architecture. At the time this installation guide was written, the latest version was jk-1.2.31. Use the table below to help identify the correct download version for your server.

Operating System

Download Link

Windows Server 2008 x86 (32-bit)

win32

Windows Server 2008 x64 (64-bit)

win64-amd64

  1. Download the tomcat_iis_connector.zip file attached to this page. It contains the configuration files necessary for the ISAPI filter to run and communicate with your Confluence server.
  2. Extract the downloaded zip file and place the contents in a folder alongside the downloaded binary file in a convenient location on your server. The default location is C:\tomcat_iis_connector.
  3. Rename the downloaded binary file to isapi_redirect.dll (that is, remove the version number from the file name).
  4. If you extracted the AJP Connector to a directory other than the default (C:\tomcat_iis_connector), then edit the isapi_redirect.properties file and ensure that the log_file, worker_file, worker_mount_file and rewrite_rule_file properties point to the correct locations.
  5. If your Confluence server is not running on the same server as IIS (for example, if Confluence is running on a non-Windows server), then edit the worker.properties.minimal file in the conf directory so that the worker.worker1.host property points to the IP address or host name of your Confluence server.
  6. If you wish to change the default port for Confluence's AJP Connector, then edit the worker.properties.minimal file in the conf directory and change the worker.worker1.port property to specify the required port number. The default port used in this guide for Confluence's AJP Connector is 8009.

Step 2. Add ISAPI Filter

  1. Open the Internet Information Services (IIS) Manager.
  2. In the 'Connections' panel, ensure that the IIS Web Site that will be used to proxy Confluence requests is selected.
  3. Double-click the 'ISAPI Filters' icon in 'Features View'.
  4. In the 'Actions' panel on the right, select 'Add'.
  5. Set the 'Filter name' to 'tomcat' and set the 'Executable' to the isapi_redirect.dll that you downloaded in step 1.
  6. Click 'OK'.
  7. The new filter should now be listed in the ISAPI Filters list for the website.

Step 3. Add Virtual Directory

Now you will add a virtual directory in the IIS website to host the ISAPI Filter.

  1. In the 'Connections' panel, ensure that the correct IIS Web Site is selected.
  2. Right-click the IIS Web Site and select 'Add Virtual Directory'.
  3. Set the 'Alias' to 'jakarta'.
  4. Set the 'Physical Path' to the directory where you extracted the ISAPI Filter in step 1 (such as, C:\tomcat_iis_connector).
  5. Click 'OK'.
  6. Verify that a 'jakarta' virtual directory is now present under the selected website.
  7. Next, select the 'jakarta' virtual directory in the 'Connections' panel.
  8. Double-click the 'Handler Mappings' icon in 'Features View'.
  9. Click the 'Edit Feature Permissions' link in the 'Actions' panel.
  10. Ensure that the 'Execute' option is selected.
  11. Click 'OK'.

Step 4. Enable Integrated Windows Authentication

This step involves modifying the security of the IIS Web Site to use NTLM or Kerberos authentication.

  1. Select the IIS Web Site modified in step 3 and double-click the 'Authentication' icon in 'Features View'.
  2. Use the 'Disable' and 'Enable' items in the 'Actions' panel to ensure that 'Windows Authentication' is the only authentication method listed in the table as 'Enabled'.

Step 5. Register the ISAPI Extension

Now you will register the isapi_redirect.dll as an authorized ISAPI Extension.

  1. In the 'Connections' panel, ensure that the local IIS Server is selected.
  2. Double-click the 'ISAPI and CGI Restrictions' icon in 'Features View'.
  3. Click 'Add' in the 'Actions' panel.
  4. Set the 'ISAPI or CGI path' to the isapi_redirect.dll you downloaded in step 1.
  5. Set the 'Description' to 'tomcat'.
  6. Ensure that the 'Allow extension path to execute' is selected.
  7. Click 'OK'.
  8. Verify that the new ISAPI restriction is listed in the table with a restriction of 'Allowed'.

Step 6. Allow Double Escaping

By default, IIS 7 prohibits any URL that contains a '+' character in the URL from being served. This is referred to as 'double escaping'. In Confluence, any page with a space in the title will be served from a URL with spaces replaced by the '+' sign (such as, 'http://confluence/display/spacekey/This+Page+Has+Spaces+In+The+Title'). You will need to disable this security feature in IIS 7 in order for the ISAPI filter to correctly process any Confluence page URLs.

  1. In the 'Connections' panel, ensure that the IIS Web Site that will be used to proxy Confluence requests is selected.
  2. Double-click the 'Request Filtering' icon in 'Features View' (If the Request Filtering icon is not displayed, you may need to download the IIS Administration Pack first).
  3. Click the 'Edit Feature Settings' link in the 'Actions' panel.
  4. Ensure that the 'Allow double escaping' option is selected.
  5. Modify "Maximum allowed content length (bytes)" to the maximum size of attachments you want that your installation allows. ie 104857600 for 100MB.
  6. Click 'OK'.
RELATED TOPICS

  • No labels

19 Comments

  1. Has anybody been able to get more than one instance working on the same server?  The latest tomcat iis connector won't work unless the virtual directory is named jakarta and the uri in the isapi_redirect.properties file shows exactly like this...."extension_uri=/jakarta/isapi_redirect.dll".  The problem is if you rename this to something other than jakarta it doesn't work.  An old version of the tomcat iis connector worked with different names, but caused issues with google gears, so drag and drop didn't work.

    1. Hi Linden,

      I haven't tried running more than one Tomcat instance on the same server with this configuration.  I wonder if you could work around this problem by setting up multiple IIS Web Sites and configuring them to use the same Tomcat connector? 

      Alternatively, could you set up multiple workers within the one connector context and point them to different servlet contexts? (see http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html#Adding additional Contexts)

      1. Anonymous

        Hi Joseph

        Thanks for your response.  Late reply, but I finally got this working.

        • I only created one tomcat connector as per your suggestion
        • I created a worker for each confluence instance
        • I assigned a worker to each context and port
        • In IIS I created a separate virtual directory for each instance and pointed the physical path to the one tomcat folder
        • Also added a filter and extension using the one tomcat connector, that works for all instances.

        Cheers
        Linden

        1. Glad you got it working, Linden. :-)

  2. The URLs to the binaries do not work.  The binaries are now located at:

    http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/windows/

    1. Thanks for the tip! I've updated the download location.

  3. Following this guide didn't get me quite there.  I found this one instead, and it filled in some blanks:

    https://confluence.atlassian.com/display/CONFKB/How+To+Setup+Confluence+with+IIS

     

    1. I'm glad you got it working! If you have a moment to specify exactly what was absent from this guide (but which was present in the other guide), please let me know and I'll add it in to this one.

      Joe.

  4. Anonymous

    I found this approach to be much easier. It uses IIS 7's Application Request Routing rather than the Apache Tomcat Connecter. I was able to get everything up and running in a few minutes.

    http://willhughes.me/20100112/jira-fisheye-and-iis7-using-application-request-routing/ 

    1. That's a great tip! Thanks for sharing.

    2. This seems to work pretty slick, thanks!  It even seems to be working with the Universal Plugin Manager, which I couldn't get to work properly with the standard Atlassian approach to this issue.

      One issue I did run into and easily resolve, however - Confluence will have a lot of URLs with "+" (plus) signs in the URL.  IIS7 URL Rewrite will choke on these and return a 404 error rather than rewriting to confluence.  Just Google "IIS7 URL Rewrite Plus Sign" and you'll see it is a well-known, and easily fixable, issue.

      Example: http://www.ifinity.com.au/Blog/EntryId/60/404-Error-in-IIS-7-when-using-a-Url-with-a-plus-sign-in-the-path

      The solution is to add this to Web.config:

      Web.Config
      <system.webServer>
        <security>
          <requestFiltering allowDoubleEscaping="true" />
        </security>
      </system.webServer>
      1. Hey Adam, if you don't mind, could you share some more detail on what didn't work with the universal plugin manager? I've never heard of that being a problem with the IIS integration before, so I'd be happy to investigate if it's a bug or a configuration error in our documentation.

        Feel free to email me if you don't want to share publicly (jclark at atlassian dot come).

        Thanks!

    3. Anonymous

      I tried this solution. It worked, except when url contains utf8 encoded characters.

      for example:

      http://somehost/appl/query?p=élo

      and I could not find a solution to this problem, so I returned to isapi.

      1. Anonymous

        I've also since found an issue with the IIS7 App Request Routing method.  The Evernote integration won't work for initially authenticating using OAuth. I had to switch over to using the tomcat port temporarily to get authenticated, then I switched back and was still able to see my Evernote notes.

    4. Anonymous

      "I found this approach to be much easier. It uses IIS 7's Application Request Routing rather than the Apache Tomcat Connecter. I was able to get everything up and running in a few minutes.

      http://willhughes.me/20100112/jira-fisheye-and-iis7-using-application-request-routing/ "

       

      I tried this solution. It worked, except when url contains utf8 encoded characters.

      for example:

      http://somehost/appl/query?p=élo

      and I could not find a solution to this problem, so I returned to isapi.

  5. Customer's Feedback on the documentation: 

    "There is a mistake with one of the screenshots.
    In steps 3 through 6, it shows how to add the ISAPI filter for the website that will be used to proxy confluence. However, on step 7, it shows a screenshot of the ISAPI filters for the actual server…"

  6. Anonymous

    Ok I followed this tutorial step by step and my tomcat is working like a charm, but now I can't access my iis applications. I keep getting error 502. How can I solve this?

  7. I am installing Confluence 5.9.4 and Sharepoint Connector 1.9.2 on a Windows-based server and  I wish to use Windows Authentication so users will not have to login. In previous versions of the Sharepoint Connector, it makes use of the customauth-0.4.jar and custom authenticator,com.pixelpark.seraph.SSOAuthenticator.

    My question is "Is the customauth-x.x.jar and custom authenticator no longer needed with the newer versions of Sharepoint Connector?"

    1. Hi Dirk Stubbs. Yes, the customauth jar installation is still required on the Confluence side.  The configuration instructions for that are over here: Access Confluence using Integrated Windows Authentication via IIS with SP 2010