This documentation relates to an earlier version of the SharePoint Connector.
View

Unknown macro: {spacejump}

or visit the current documentation home.

This page is part of the installation guide for the Confluence SharePoint Connector. It tells you how to configure access to SharePoint using Integrated Windows Authentication (NTLM only).

On this page:

Overview

In this configuration, both Confluence and client browsers authenticate against SharePoint using Integrated Windows Authentication.

Use this Configuration when...
  • There is minimal risk of eavesdropping on the network traffic from Confluence to SharePoint. Examples of scenarios involving minimal risk include:
    • The Confluence and SharePoint applications are on the same physical server.
    • The SharePoint site(s) are accessed using HTTP Secure (HTTPS).
    • The Confluence and SharePoint servers are on a private network segment.

If you have not already seen our guide to planning your environment, you can refer to it for information that will help you select the best configuration for your environment.

Caveats

NTLM Only

When configuring authentication for a top-level SharePoint site, the SharePoint Central Administration application allows administrators to select Integrated Windows Authentication using NTLM or Kerberos (or both).

Due to the limited number of authentication methods supported by the Apache Commons HTTP Client (see the section on additional layers of security below), in order for a site collection to be accessible from Confluence, the NTLM authentication option must be selected.

Additional Layers of Security

Atlassian recommends that you apply additional layers of security (such as HTTP Secure) if you use this configuration.

Because Confluence is written in Java, it has a dependency on the open source Apache Commons HTTP Client, which is used to decode NTLM challenge messages from the server and issue encoded NTLM responses. The Apache Commons HTTP Client only supports the LAN Manager (LM) Windows Authentication protocol.

LM authentication is regarded as a weak authentication mechanism and there are widely accessible tools for deciphering passwords encrypted with LM. Atlassian recommends that you apply additional layers of security (such as HTTP Secure) if you use this configuration.

Installation Instructions

Domain or Local?

If your Windows user accounts are stored in Active Directory, then the configuration steps listed here must be applied to all Domain Controllers. If your user accounts are local accounts on the SharePoint Server, then the configuration steps must be applied to your SharePoint server.

Password Length

In order for any user account to be successfully used by Confluence for Integrated Windows Authentication, the account's password must be 14 characters or less in length. This is due to a limitation in the underlying LAN Manager (LM) authentication protocol that Confluence must use.

Symptoms of Unsupported Password Length

Using a password that is too long will have the following results:

  • SharePoint will return an error: 'HTTP 401.1 Unauthorised: Access is denied due to invalid credentials'.
  • The error message you may see in Confluence is: 'Wrong username or password'.

LAN Manager Authentication Level

The LAN Manager Authentication Level controls what network authentication methods are supported by Windows clients and servers. The authentication level is controlled via a registry entry (called LMCompatibilityLevel) or a group policy setting (called Network Security: LAN Manager Authentication Level).

In order for Confluence to successfully authenticate against the SharePoint server, the LAN Manager Authentication Level must be set to one of the following values:

Registry Key Value

Group Policy Value

0

Send LM & NTLM responses

1

Send LM & NTLM - use NTLMv2 session security if negotiated

2

Send NTLM response only

3

Send NTLMv2 response only

For more information on how to alter this setting and greater detail on what the value of each setting entails, please consult this Microsoft TechNet article.

Note that this registry value does not need to be modified on the Confluence server. Confluence uses a Java HTTP client that is unaware of the Windows configuration.

Symptoms of Unsupported LM Authentication Level

Using an unsupported LAN Manager Authentication Level will have the following results:

  • SharePoint will return an error: 'HTTP 401.1 Unauthorised: Access is denied due to invalid credentials'.
  • The error message you may see in Confluence is: 'Wrong username or password'.

Minimum Session Security for NTLM SSP-Based Servers

The Minimum Session Security for Servers controls what optional parts of the selected authentication protocol must be present in the client authentication request in order for the authentication to succeed. The minimum session security is controlled via a registry entry (called NtlmMinServerSec) or a group policy setting (called Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers).

Only applies to Sharepoint server

Even if you are authenticating with a domain account, this setting must be configured correctly on the SharePoint Server not the Domain Controllers.

In order for Confluence to successfully authenticate against the SharePoint server, the Minimum Session Security must be set to one of the following values:

Registry Key Value

Group Policy Value

0x0

Not Defined

0x10

Require Message Integrity

0x20

Require Message Confidentiality

0x30

Require Message Integrity + Require Message Confidentiality

0x20000000

Require 128-bit Encryption

0x20000010

Require Message Integrity + Require 128-bit Encryption

0x20000020

Require Message Confidentiality + Require 128-bit Encryption

0x20000030

Require Message Integrity + Requires Message Confidentiality + Require 128-bit Encryption

In other words, the only setting that the SharePoint Connector is incompatible with is Requires NTLMv2 Session Security (or any combination of values involving the NTLMv2 Session Security setting).

For more information on how to alter this setting and greater detail on that the value of each setting entails, please consult this Microsoft TechNet article.

Note that the corresponding NtlmMinClientSec value does not need to be modified on the Confluence server. Confluence uses a Java HTTP client that is unaware of the Windows configuration.

Symptoms of Unsupported Minimum Session Security Value

Using an unsupported Minimum Session Security value will have the following results:

  • SharePoint will return an error of 'HTTP 500 Internal Server Error'.
  • The error message you may see in Confluence is: '{}Unrecognized error:: ; nested exception is: org.xml.sax.SAXException: Bad envelope tag: html{*}'.

'Do Not Store LAN Manager Hash' Value

Windows servers have a security setting that controls whether or not the LAN Manager hash of a user's password is stored in the security database. The LAN Manager hash is required for the Windows server to successfully decode (and therefore, authenticate) client requests using the LM authentication protocol.

This setting is controlled via a registry entry (called NoLMHash) or a group policy setting (called Network security: Do not store LAN Manager hash value on next password change).

Password change may be required

If Windows was previously configured not to store the LAN Manager hash, and you change this setting, the LAN Manager hash will not be re-computed and stored until the user's password is changed.

In order for Confluence to successfully authenticate against the SharePoint server, the 'do not store LAN Manager hash' value must be set as follows:

Registry Key Value

Group Policy Value

0

Disabled

For more information on how to alter this setting, please consult this Microsoft support article.

Symptoms of Unsupported 'do not store LAN Manager hash' Value

Using an unsupported value for the 'do not store LAN Manager hash' setting will have the following results:

  • SharePoint will return an error of 'HTTP 401.1 Unauthorised: Access is denied due to invalid credentials'.
  • The error message you may see in Confluence is: '{}Wrong username or password{}'.

Reboot Your SharePoint Server

We strongly recommend that you restart your SharePoint server after applying any of these configuration settings in order to ensure that they take effect.

Additionally, changes to your group policy may take a short while to propagate through your domain. Please keep this in mind when testing your configuration.

Next Step

To continue with the installation of the SharePoint Connector, please install and configure the Confluence plugins.

  • No labels





Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.