SharePoint Connector - Technical F.A.Q (v 1.0)

Owned by Almuth Boehme [Communardo]
Aug 18, 2016
9 min read

What versions of Active Directory are supported as part of the SSO configuration? AD 2000 / 2003?

The SharePoint Connector has been developed and tested with ActiveDirectory 2003, but Actitive Directory 2000 should work also. If you find any incompatiblities, then please let us know.

Is SSO handled through an open source module?

When a user access SharePoint they are authenticated using Windows Integrated Security which could be using NTLM, Kerberos or something else. When a user access Confluence using Internet Explorer they are authenticated using NTLM if it is available. If NTLM is unavailable because of using a different browser or operating system Confluence will prompt for a user name / password. The credentials will then be checked against Active Directory.

What is the support policy for the Confluence NTLM Authenticator - the plugin which Confluence uses to authenticate users with NTLM?

The Confluence NTLM authenticator is a third-party contribution and is not currently supported by Atlassian. See Supported NTLM Authentication with the SharePoint Connector for one that is supported.

What is the support policy?

The SharePoint Connector for Confluence is supported by Atlassian. If you have questions or issues, please file them in the Confluence project on http://support.atlassian.com. The SharePoint Connector topics on Atlassian Answers will also remain active, and can be a valuable resource for getting help with the Connector.

Does NTLM authentication work today?

Yes. See Supported NTLM Authentication with the SharePoint Connector for more information.

I've heard about performance issues with the Confluence NTLM authenticator. Where can I track the progress being made against those issues?

This issue can be tracked here

What is the roadmap for single sign-on with respect to AD and MOSS?

Currently the SharePoint Connector is developed and tested using ActiveDirectory 2003 and MOSS 2007. No other versions of those products have been tested so far. Some features of the SharePoint connector also work with WSS.

When is Kerberos going to be supported as a SSO method?

There are no plans to support kerberos at this time. It is a possibility for the future.

Why won't my web part show any data?

There are several potential reasons why you cannot see data.

  • The SharePoint server needs access to the Confluence server. Therefore Confluence must be running and the Confluence Settings page must have the appropriate URL to Confluence.
  • In order for SharePoint to show Confluence content, it needs to use the Confluence SOAP Permission Checker Plugin to communicate. Go to the Plugin Manager to ensure it is installed and enabled. You can download it from the Plugin Repository.
  • If you are not using SSO, the logged in user account in SharePoint must exist as an account within Confluence. Therefore, if your Active Directory account used by SharePoint is MY_DOMAIN\my_user_name, then a Confluence account named my_user_name must exist in Confluence (or Confluence must be tied to Active Directory) and that user must have read access to the space/page you are trying to display in SharePoint.

Why do I have to log in to Confluence when clicking a Confluence link from SharePoint within a web part provided by the SharePoint Connector for Confluence?

If you are not using Single Sign-on (SSO) and SharePoint is using Windows Integrated Security while Confluence is using Forms Based Authentication, this will always occur unless you have Confluence "remember my login on this computer". If you are using SSO this can be prevented by following the recommended browser settings.

Why do my images within the Confluence Page web part show as broken images?

See Broken Images in the Confluence Page Web Part.

When I click on a link to Confluence from a SharePoint web part, the link takes me to a page that does not exist.

Assuming the page really does exist, a likely problem is that the Server Base Url is not specified properly on the General Configuration administration page within Confluence. For exaxmple, if Confluence is not configured at the root of the domain (e.g., http://confluence.mycompany.com/confluence instead of http://www.mycompany.com) the Server Base Url needs to reflect that or links in web parts will have the incorrect values.

How does content get security trimmed?

For a detailed review of security trimming as well as other security concepts, see SharePoint Connector Security Review.

Is SSL supported?

Yes.
The SharePoint features (web parts, search) can access Confluence if it is running under SSL.
To learn more about this and how to configure SSL, see Secure Sockets Layer (SSL) Configuration.

The SharePoint plugin within Confluence also supports SSL on SharePoint. You need only configure your container to connect to SSL services. In most cases this just involves adding the SSL certificate from the SharePoint server to the keystore maintained by your Java VM and then specifying http*s*://yourserver as the way to reach your SharePoint server in the plugin's configuration.

Why am I sometimes getting login failed in the SharePoint "Confluence Settings" or on my Confluence Page web parts?

If you are not using the SSO option, you must specify a Confluence administrative username and password in the Confluence Settings page within SharePoint. The password is encrypted using a key specified in the <machinekey> setting in the web.config file for each Web Front End (WFE) within your SharePoint farm. SharePoint tries to make sure that the machine key is identical for each WFE, but if they are not, you will get the following error:

com.atlassian.confluence.rpc.AuthenticationFailedException: Attempt to login user '<administrative user account>' failed - incorrect password.

If this problem occurs, make sure all WFEs have the same machine key and do an IISRESET on each WFE for any that you change. You may then have to re-save the administrative password on the Confluence Settings page if the machine key you decided to use on each WFE does not match the machine key used to save the password in the first place.

I cannot successfully execute "Update SharePoint Config Settings" when testing the configuration from Confluence to SharePoint ("SharePoint Admin" screen). What could be the problem?

This problem recently occurred and did not present an obvious solution. The problem was resolved by resetting the default security template on the SharePoint server (see Method 1 as listed under http://support.microsoft.com/kb/903071).

Here are some others things to review if the default security template does not turn out to be the issue.

  • Check all items listed in the SharePoint Plugin Configuration Troubleshooting page
  • Make sure IIS Directory Security for the SharePoint web application is set to Windows Authentication
  • SharePoint Central Administration is set to NTLM and not Negotiate/Kerberos
  • Check Local Security Policy (Group policy) to make sure both the client/server are using consistent NTLM/LM formats
    see "Network security: LAN Manager authentication level" under Security Options

I just changed the theme of my space in Confluence, but it isn't reflected in the Confluence Page web parts. Why is that?

The CSS for a space is cached by SharePoint. The cache is set to expire after one hour. The new theme should be reflected in Confluence Page web parts within an hour of the change. Performing an IISRESET on SharePoint server(s) is currently the only way to expedite the process.

I just set the Confluence space and Page information for the Confluence Page web part, but the web part title is not showing up correctly. Why is that?

The configured Confluence service user does not have permission to access the page. Make sure the service user (set in the 'Confluence Settings' screen for the current SharePoint website) has appropriate permissions in Confluence.

In SharePoint search configuration I just crawled my Confluence content source and updated my scopes, but my Confluence scope shows 0 items. Why is that?

You can "view scopes" from the search administration within your SharePoint shared service provider (SSP). When doing so, this will execute the security trimmer which is in place to make sure users don't see search results for pages to which they don't have access. When running this from the SSP the security trimmer does not know how to access Confluence, but your scope should still work. Note that if you view scopes from within your regular site collection(s) you should see counts for your scopes if you have configured a connection to Confluence at the root/top site within that site collection (assuming the current user has access to Confluence). For more details you can read a blog about this here.  See also Troubleshooting SharePoint Search.

I am using NTLM for Confluence, but cannot crawl using Windows Authentication. How do I get this to work properly?

Forms Authentication for the search crawler configuration should currently be used even if you have Confluence set up using NTLM. The MOSS crawler has problems crawling Confluence directly under NTLM, even though it can crawl other Windows authenticated web sites just fine. This issue can be tracked as JIRA item CSI-59. If you are running Tomcat under IIS, one option is to have the crawler search using the Tomcat port. Then you will want to set up a Server Name Mapping (under MOSS Search Settings) so that search results show the IIS port instead of the Tomcat port.

See also SharePoint Search Configuration.

I am authenticating users in Confluence with Active Directory and I have "authorized" users in the "Domain Users" Active Directory group to be able to access/participate in a specific Confluence space. However, the members of "Domain Users" do not appear to have access. Why is this?

This appears to be a bug with Confluence integration with Active Directory. CSI-206 in Jira captures the issue. To work around the issue, try placing the "authorized" users in an Active Domain group that does not contain spaces in the name (ex: Confluence).

From SharePoint I have set up the search to crawl and there are several items in the index, so why do I still get zero search results when searching Confluence from SharePoint?

First, double check the steps on SharePoint Search Configuration. If that is set up properly and you have several items in your crawl log, the likely problem is that the search results are getting security trimmed (see also the FAQ on CONFEXT:Security Trimming). This is possibly because the currently logged in user within SharePoint does not exist within Confluence. If you feel that the user does exist, the next step may be to perform some tracing.  Resolution steps are all laid out at Troubleshooting SharePoint Search.

Can I use Search Server 2008 to search Confluence instead of MOSS?

Both MOSS 2007 and Search Server 2008 use the same technology for searching. However, the SharePoint Connector for Confluence provides some assitance with configuration within MOSS. This is not available within Search Server 2008, but manual configuation should be possible. See Search Configuration for Search Server 2008 for more details.

Do the servers need to be on the same network Subnet? Any requirements as far as domain names or computer names?

The servers can be on different network subnets (with the following exceptions in effect - based on the environments we have tested)

  • For Active Directory integration with NTLM to work properly, both the Confluence server and the SharePoint server should be part of the same domain
  • If Active Directory is not used as a Confluence user repository, then the suggestion would be to use the Microsoft Single Sign-on Service (option "Using the internal Confluence user store" as defined in http://confluence.atlassian.com/display/CONFEXT/Authentication+Configuration)

Does it fully replace the Confluence search? If so, are there any downsides? (ie searching by labels or author)

No, it does not replace the Confluence search, it only enhances it by providing additional content found in the configured SharePoint environment. It does not currently help with searching by labels or author.

Does the screen always have the Sharepoint / Confluence tabs at the top so users can navigate back and forth? What happens in a user changes the theme on a space? Does that affect navigation back and forth?

The 2.7/2.8 SharePoint decorators are used to add the "SharePoint" link to the top left corner.
If the user changes the theme to something other than the 2.7/2.8 SharePoint decorator, the "SharePoint" link will be removed, but navigation between Confluence/SharePoint environments will not be affected.

Is single sign on available as web based (ie cookie or token oriented) or is it only NTLM? If only NTLM what about Mac users or Firefox?

Does it change anything about group management? If I need to add a user to a group, do I have to do it in both systems?

It depends...

    • If Active Directory is used for both products, then you may need to add an Active Directory user to Confluence/Confluence space. If you have an Active Directory domain group (with no spaces in the name - see Jira Item # ?) that contains all users that will access Confluence, you can assign the group once to Confluence and again once per space.
    • If Active Directory is used for SharePoint only and Confluence is using a separate user repository, then yes, you will need to configure a user independently in both products.

Do space permissions have any overlap or combined functionality with Sharepoint permissions?

There really is no overlap. We have implemented permission checking from both sides (Confluence to SharePoint; SharePoint to Confluence) to help control a specific user from having inappropriate access to something.

Which system's user profile information will be used?

User profile will come from Active Directory (if used for either system). SharePoint will typically be configured to use Active Directory. If Confluence is configured to use another user repository, then Confluence will show user profile information from the respective user repository and SharePoint will show user profile information from Active Directory. Other than the above, the Confluence profile is not connected to the SharePoint profile.

Can I incorporate the SharePoint theme into my own custom theme?

Yes. You can find details at this link - How to incorporate the SharePoint theme into another custom theme.

Other resources

See the General FAQ on the Atlassian website, and Atlassian Answers for the SharePoint Connector for Confluence.