Configuring Confluence to use Jespa for NTLM Authentication (v 1.9)

This page is part of the installation guide for the Confluence SharePoint Connector. It tells you how to configure access to Confluence using Integrated Windows Authentication via a third-party software package called Jespa.

On this page:

Installation

Step 1. Hook Confluence up to Active Directory

Configure Confluence to synchronize its user repository with the Active Directory domain. See the Confluence documentation on LDAP user management.

Step 2. Download and Install Jespa

1. Download the Jespa package from the IOPlex website.
2. Download the latest version of JCIFS from the Samba website: http://jcifs.samba.org/src/jcifs-1.3.17.zip
3. Follow the Installation instructions in the Jespa technical documentationto install Jespa into your Confluence web app. Note that you need to follow the full installation guide for Jespa, which includes:
   1. Creating a computer account in the target Active Directory domain for Jespa to authenticate with.
   2. Testing your Jespa configuration with the Jespa example application provided.

Step 3. Configure Confluence

1. Copy the Jespa and JCIFS libraries (the 'jar' files) from the downloaded zip files into your %confluence_install%/confluence/WEB-INF/lib directory.
2. Open the %confluence_install%/confluence/WEB-INF/web.xmlfile in a text editor, and make the following modifications to the file:

   1. Locate the section of the file that contains a <filter> with a <filter-name> set to 'login'. Immediately after this login filter, add a new <filter> for Jespa. You should copy the contents of the Jespa <filter> in the example application used in step 2, once the example application is able to authenticate correctly. The changed web.xmlfile should look like this:

      web.xml

      <filter>
              <filter-name>login</filter-name>
              <filter-class>com.atlassian.seraph.filter.LoginFilter</filter-class>
          </filter>
      
          <filter>
              <filter-name>jespa</filter-name>
              <filter-class>jespa.http.HttpSecurityFilter</filter-class>
      
              <init-param>
                  <param-name>jespa.log.path</param-name>
                  <!-- Enter the path to where you would like the Jespa log to be stored -->
                  <param-value>C:\confluence-data\logs\jespa.log</param-value>
              </init-param>
      
              <init-param>
                  <param-name>jespa.log.level</param-name>
                  <param-value>2</param-value>
              </init-param>
      
              <init-param>
                  <param-name>jespa.bindstr</param-name>
                  <!-- Enter the fully-qualified name of your Active Directory domain -->
                  <param-value>atlassian.com</param-value>
              </init-param>
      
              <init-param>
                  <param-name>jespa.service.acctname</param-name>
                  <!-- Enter the name of the computer account created in Step 2, followed by the '$' sign, followed by the fully-qualified name of your Active Directory domain -->
                  <param-value>CONFLUENCE$@atlassian.com</param-value>
              </init-param>
      
              <init-param>
                  <param-name>jespa.service.password</param-name>
                  <!-- Enter the password for the Jespa service account, which was set in Step 2. -->
                  <param-value>JCnckGJHDSd28c7Nc</param-value>
              </init-param>
      
              <!-- Note: also copy over all other default Jespa parameter values from the example web.xml -->
          </filter>
      

   2. Locate the section of the file that contains a <filter-mapping> with a <filter-name> set to 'login'. Immediately before this filter mapping, add a new <filter-mapping> for Jespa. The changed web.xmlfile should look like this:

      web.xml

      <filter-mapping>
              <filter-name>jespa</filter-name>
              <url-pattern>/*</url-pattern>
          </filter-mapping>
      
          <filter-mapping>
              <filter-name>login</filter-name>
              <url-pattern>/*</url-pattern>
          </filter-mapping>
      

Step 4. Add Custom Authenticator

By default, Confluence will not understand the pre-authenticated requests that come through via a Single Sign-On solution (such as Jespa or an IIS proxy). In order to allow this authentication information to pass through, you must modify the authenticator module used by Confluence. Therefore you have to write your own module and exchange the existing one. If you need help with that, please contact a local Solution Partner.

Step 5. Set Client Browser Options

In order for users to be automatically logged in to Confluence without being prompted for their username and password, the browser must be correctly configured for pass-through authentication.

Please instruct all users to ensure that the  recommended browser settings are applied.

RELATED TOPICS

• Release Notes (v 1.9)
• Installing the SharePoint Connector (v 1.9)
• Upgrading the SharePoint Connector (v 1.9)
• Applying Specific Confluence Configurations (v 1.9)
• Deploying the SharePoint Connector to More SharePoint Sites (v 1.9)