Authentication Configuration (v 1.0)

Configuring Authentication for Confluence and SharePoint is the most complex aspect of this integration. There are a wide variety of authentication technologies out there. We've attempted to offer instructions for some of the common configurations, using the out-of-the-box technologies that come with Confluence and SharePoint.

Review the recommendations below and also consider the Authentication Configuration Questionnaire.

Recommendations

  • Configure Confluence to Use a Custom Authenticator and Tomcat + IIS is recommended if you plan to use Active Directory as a Confluence user repository and IIS is your standard host for web applications.
  • Configure Confluence to Use a Custom Authenticator and JCIFS is recommended if you plan to use Active Directory as a Confluence user repository and IIS is not your standard host OR you do not have IIS in your environment.
  • Microsoft Single Sign-On Service is recommended if you have MOSS and you do not plan to use Active Directory and NTLM as a Confluence user repository, but still would like to configure a Single Sign On experience for SharePoint users accessing Confluence. This service serves as a secure credentials storage and forwarding service. It stores credentials and logs users in to Confluence behind the scenes. It will prompt the user for their Confluence credentials the first time they try to access Confluence content on Sharepoint and then securely store that information until it can not log them in successfully (i.e. password changed, expired) where it will then prompt them again.
  • Configure SharePoint to Authenticate with NTLM is recommended. Basic authentication and Forms Based Authentication within SharePoint can work, but there may be limitations.

NTLM and Anonymous Access

If you want to enable NTLM with Confluence as well as allow for anonymous access with Confluence, please review NTLM and Anonymous Access.

Broken Image Links

One reason to use a NTLM or Microsoft SSO is to prevent broken image links. Review Broken Images in the Confluence Page Web Part to understand how the different authentication options play a role in preventing this.

Unable to render {include} The included page could not be found.

Using Confluence and Sharepoint with Active Directory (no NTLM)

This option will ensure that both Confluence and SharePoint has the same list of users and groups.

Using the internal Confluence user store

You can set up Confluence and SharePoint to use their own, separate user databases. This option may be appropriate if you already have Confluence and SharePoint running with different sets of users.

MOSS has a Single Sign-on service which will save the credentials for a given user on another system. For example, if I log into Sharepoint as jonathan@atlassian.com, I can tell SharePoint to log me in to Confluence as jnolen. The SSO service will remember those credentials and re-sign me in each time.

The instructions for this configuration can be found here: Configuring the Microsoft Single Sign-On Service.

Forms Based Authentication for SharePoint

It is recommended that you use NTLM for authentication to SharePoint (Basic authentication can be used as well). With v1.0.2 of the SharePoint installation you can use Forms Based Authentication (FBA) to connect to SharePoint, but there are limitations as discussed below.

The SharePoint web parts that display Confluence content (the Confluence Page and Confluence Pages Tree View web parts) work fine as does using SharePoint to search Confluence. Note that the service account defined when you Install and Configure the SharePoint Plugin must still use NTLM or Basic authentication.

To allow for both NTLM/Basic and FBA, you extend your web application within SharePoint to have two URLs/ports; one for NTLM/Basic and one for FBA. The service account would access SharePoint through the URL/port for NTLM/Basic.

There are two issues with this approach, however. See CSI-228 and CSI-229 for more information.