Access SharePoint using Basic Authentication and SSL (via Alternative Access URL) with SP 2010 (v 1.9)

This page is part of the installation guide for the Confluence SharePoint Connector. It tells you how to configure access to SharePoint using basic authentication and SSL via an alternative access URL in SharePoint. These instructions apply to the connector for SharePoint 2010.

On this page:


In this configuration, client browsers authenticate against SharePoint using Integrated Windows Authentication (NTLM or Kerberos). Confluence however, authenticates against SharePoint on a separate port that is configured to use basic authentication over Secure Sockets Layer (SSL). This is accomplished using SharePoint's capability to extend a site collection over multiple web applications. Using alternative access mappings in SharePoint, all hyperlinks in the SharePoint content direct users back to the primary SharePoint site.

This configuration method offers a greater level of security than the method that  accesses SharePoint using Integrated Windows Authentication (NTLM Only). The configuration procedure is, however, more complex. You should review the security measures of your internal network before deciding which method is most appropriate for your environment.

Use this Configuration when...
  • Confluence is not running on a Windows server.
  • Your corporate security policy prohibits the use of NTLM(v1) authentication, which is necessary for the NTLM configuration.
  • Your SharePoint site(s) is/are not configured to use Secure HTTP (HTTPS) and you are concerned about the possibility of packet sniffing or eavesdropping.

If you have not already seen our guide to planning your environment, you can refer to it for information that will help you select the best configuration for your environment.


Server Certificate

Enabling SSL requires the installation of a certificate on the SharePoint server. Depending on the way in which you source the certificate, this could involve either an additional financial cost or a number of additional configuration steps.

Installation Instructions

Configuring SharePoint

Use IE7+ when Configuring SharePoint

We recommend that you use Internet Explorer 7 or later to perform the configuration steps described on this page. You may experience unusual behavior if you use FireFox or other browsers on some SharePoint administrative pages.

Configure all SharePoint Top-Level Sites used by Confluence

You will need to perform these configuration steps for each SharePoint top-level site that is exposed to Confluence.

Step 1: Extend the SharePoint Site to Another IIS Web Site

  1. Log in to SharePoint Central Administration and select the 'Application Management' portal.
  2. In the 'Web Applications' section, select 'Manage web applications'.
  3. Select the required SharePoint site and click 'Extend'.
    Screenshot: Selecting 'Extend' for a SharePoint site

  4. The 'Extend Web Application to Another IIS Web Site' screen appears. Select 'Create a new IIS web site'
  5. Fill out the details of the new site:
    • Add a meaningful name that describes the purpose of the site.
    • Ensure that the IIS web site is assigned a unique port that is not currently in use on your SharePoint server.
    • Ensure that 'Allow Anonymous' is set to 'No'.
    • Ensure that 'Use Secure Sockets Layer (SSL)' is set to 'Yes'.
    • Make a note of the 'Zone' that is set for the 'Load Balanced URL'. You will need to know this zone in step 2 below.
  6. Click 'OK'.

Screenshot: Extending the SharePoint site to another IIS web site

Step 2: Configure the IIS Authentication Providers

  1. Go back to SharePoint's 'Manage web applications' section.
  2. Select the required SharePoint site and click 'Authentication Providers'.
    Screenshot: Selecting 'Authentication Providers' for a SharePoint site

  3. The 'Authentication Providers' screen appears. Click the name of the Zone (such as, 'Intranet' or 'Internet') that you used to extend the SharePoint site in step 1 above.
  4. The 'Edit Authentication' screen appears. Ensure that 'Integrated Windows authentication' is not selected and 'Basic authentication (password is sent in clear text)' is selected.
  5. Click 'Save'.

SSL will secure the password information

Because this endpoint will be using Secure Sockets Layer (SSL), the password will not be sent in clear text even though basic authentication is used.

Screenshot: Editing the IIS authentication settings

Step 3: Configure the Alternate Access Mappings

In this step you will remove the default public URL that SharePoint created during the previous step and replace it with an internal URL mapping.

  1. Go back to SharePoint Central Administration and select the 'System Settings' portal.
  2. In the 'Farm Management' section, select '*Configure alternate access mappings'.
  3. Click the link on the 'Internal URL' that represents the newly-created IIS web site defined in step 1 above.
    Screenshot: Finding the newly-created alternate access mapping to delete

  4. Click the 'Delete' link to remove this mapping.
    Screenshot: Deleting the alternate access mapping

  5. Click 'Add Internal URLs'.
  6. Select the 'Alternate Access Mapping Collection' that represents the root SharePoint site that you are extending.
  7. Set the 'URL protocol, host and port' to the URL that directs to the newly-created IIS web site defined in step 1 above.
  8. Click 'Save'.

    Screenshot: Adding the alternate access mapping

Step 4: Import the SSL Certificate into IIS

In this step you will ensure that your IIS web site is configured for SSL and import an SSL certificate into the IIS web site.

Step 4.1: Make Sure the IIS Web Site is Configured for SSL
  1. Log in to your SharePoint server with a Windows account that has permission to administer IIS.
  2. Run the 'Internet Information Services (IIS) Manager'.
  3. In the 'Connections' panel on the left, expand the 'Sites' folder and click on the IIS web site that you created in step 1 above. You can identify this web site by looking at the 'Description' field.
  4. Double-click the 'SSL Settings' icon in 'Features View'.
  5. Ensure that the 'Require SSL' option is selected.
  6. Click 'Apply' in the 'Actions' panel on the right.
Step 4.2: Obtain or Create a Certificate

SharePoint already accepting SSL?

If your SharePoint Server already accepts SSL traffic, then you already have a certificate installed on your SharePoint server. If this is the case, please skip ahead to step 4.3 below.

You need an X.509 certificate that you can import into IIS. IIS will use the certificate to encrypt the SSL channel and prove the server's identity to clients. In the table below are the two ways of obtaining a certificate.


Atlassian does not endorse or represent any of the example certificate issuers listed below.

Atlassian cannot accept responsibility for the veracity of any digital certificate issued by a third party. You should ensure that any certificate you use is from a provider that you trust.


Example Provider



Obtain a certificate from a trusted certificate authority

Thawte Consulting

Most major certificate authorities are automatically trusted by most modern operating systems, so no configuration is required on the client to trust your certificate.

The certificate authority may charge a fee for issuing the certificate and/or an annual renewal fee.

Generate your own certificate

Java keytool


Client computers may require configuration to trust your certificate's authenticity.

Step 4.3: Import the Certificate into IIS

Once you have generated or obtained a certificate, you will usually receive:

  • The certificate stored in a file format such as pfx.
  • A password that encrypts the file.

Follow these instructions to import the certificate into IIS:

  1. Copy the certificate file to your SharePoint server.
  2. Log in to your SharePoint server with a Windows account that has permission to administer IIS.
  3. Run the 'Internet Information Services (IIS) Manager'.
  4. Select the local IIS Web Server in the 'Connections' panel on the left.
  5. Double-click the 'Server Certificates' icon in the 'Features View'.
  6. Click the 'Import' link in the Actions panel on the right.
  7. Set the Certificate file (.pfx) field to the path to your certificate file on your SharePoint server.
  8. Enter the 'Password' for certificate.
  9. Click 'OK'.
Step 4.4: Configure SSL Binding
  1. In the 'Connections' panel on the left, expand the 'Sites' folder and click on the IIS web site that you created in step 1 above. You can identify this web site by looking at the 'Description' field.
  2. In the 'Actions' panel on the right, click 'Bindings'.
  3. Select the binding for your SharePoint site and click 'Edit'.
  4. In the 'SSL certificate:' field, select the SSL Certificate that you imported into IIS in Step 4.3.
  5. Click 'OK'.
  6. Click 'Close'.

Test your configuration

Make sure that you test your SSL configuration by accessing the SharePoint site in a web browser, before proceeding any further.

Step 5: Restrict the IIS Web Site to Confluence

As an additional layer of security, you should configure your SSL-secured web site to allow access from the Confluence server only.

Confluence must have a static IP address or DHCP lease reservation

You will only be able to perform this step if your Confluence server has a static IP address. If your Confluence server has a dynamic IP address, then speak to your network administrator about adding a static IP address or a DHCP lease reservation for the Confluence server.

  1. Note the IP address of your Confluence server.
  2. Log in to your SharePoint server with a Windows account that has permission to administer IIS.
  3. Run the 'Internet Information Services (IIS) Manager'.
  4. In the 'Connections' panel on the left, expand the 'Sites' folder and click on the IIS web site that you created in step 1 above. You can identify this web site by looking at the 'Description' field.
  5. Double-click on 'IP Address and Domain Restrictions' in the 'Features View'.
  6. Click 'Edit Feature Settings' in the 'Actions' panel on the right.
  7. In the 'Edit IP and Domain Restrictions Settings' popup, set the 'Access for unspecified clients:' to 'Deny'.
  8. Click 'OK'.
  9. Click 'Add Allow Entry' in the 'Actions' panel on the right.
  10. In the 'Specific IP address:' field, enter the IP Address of your Confluence server.
  11. Click 'OK'.

Screenshot: IP restriction on IIS web site

Configuring Confluence

Step 1: Trust SharePoint's SSL Certificate

Skip all of step 1 if you obtained a certificate from a trusted CA

If you purchased a certificate from a trusted certificate authority, then your certificate is already trusted by the Confluence server and you can skip this step. Go to step 2 below. If you generated your own certificate or obtained one from a less well-known certificate authority, please follow the steps below.

To configure Confluence to trust the certificate on your SharePoint server, you must add the certificate's public key to the Java runtime's Certificate Authority keystore as described below.

Step 1.1: Create a .cer File

Skip step 1.1 if you already have a .cer file

The certificate's public key must be imported into the Java keystore as a certificate file in .cer file format. If you already have a .cer file you can skip this step and go to step 1.2 below. If you only have a .pfx file and need to create the .cer file, read on!

A simple way to create the required file is to import and export the certificate in and out of the Windows certificate store. This works because the export operation allows you to choose the export format.

The first step is to import the certificate into Windows:

  1. Using a Windows computer, open the Microsoft Management Console by clicking the 'Start' button, selecting 'Run' and then running the command 'mmc.exe'.
  2. In the Microsoft Management Console, select 'Add/Remove Snap-in...' from the 'File' menu.
  3. Click ''Add....
  4. Highlight the 'Certificates' snap-in from the list and click 'Add'.
  5. Ensure that 'My user account' is selected and then click 'Finish'.
  6. Click 'Close'.
  7. Click 'OK'.
  8. Expand the tree from 'Console Root' to 'Certificates - Current User' to 'Personal'.
  9. Right-click 'Personal' and select 'Import...' from the 'All Tasks' menu.
  10. When the 'Certificate Import Wizard' is displayed, click 'Next'.

    Screenshot: The certificate import wizard

  11. Click 'Browse...' and select the .pfx certificate file. (You may need to set the 'Files of type' filter to 'Personal Information Exchange (.pfx, *.p12)*'.
  12. Click 'Next'.
  13. Enter the 'Password' for the certificate.
  14. Ensure that the 'Mark this key as exportable' option is selected.
  15. Click 'Next'.
  16. Click 'Next'.
  17. Click 'Finish'.

At this point, your certificate should appear in the 'Personal' folder of the 'Certificates' snap-in.

Screenshot: Personal certificates

Now you can export the certificate in the desired .cer format:

  1. Right-click the certificate and select 'Export...' from the 'All Tasks' menu.
  2. When the Certificate Export Wizard opens, click 'Next'.
  3. Ensure that the 'No, do not export the private key' option is selected.
  4. Click 'Next'.
  5. Ensure that the 'DER encoded binary X.509 (.CER)' option is selected.
  6. Click 'Next'.
  7. Enter a 'File name' for the exported certificate (such as '{{}}C:\cert.cer').
  8. Click 'Next'.
  9. Click 'Finish'.

Step 1.2: Import the .cer File onto the Confluence Server

We have provided a batch script (see below) for Windows environments. If you are running Confluence on UNIX, please perform the import manually. The batch script uses the Java runtime's keytool command to import the certificate into the required location on the Confluence server. The script will add the certificate to the root Java Secure Sockets Extensions keystore, which is located in your Java Runtime Enviroment's (JRE's) lib\security directory with the name jssecacerts. This is the required location in order for the certificate to be trusted by Confluence.


This script assumes the following about your environment:

  • You are using a Confluence stand-alone installation running on the Sun JVM.
  • Your %JAVA_HOME% environment variable has been set correctly.
  • You have copied the .cer file created in step 1.1 above to the C: drive of your Confluence server.

Copy and execute this batch script (Windows) to add the certificate to the keystore:

@echo off
set keytool="%JAVA_HOME%\bin\keytool.exe"
set keystore="%JAVA_HOME%\jre\lib\security\jssecacerts"
set certificatefile=C:\sharepoint.cer

%keytool% -import -alias sharepoint -keystore %keystore% -storepass changeit -file %certificatefile%

Step 2: Configure the Alternative URL in Confluence

The final step is to configure your Confluence server to communicate via the new URL you have set up.