Configuring Confluence to use Jespa for NTLM Authentication (v 1.3)

Owned by Almuth Boehme [Communardo]
Aug 19, 2016
4 min read

This page is part of the installation guide for the Confluence SharePoint Connector. It tells you how to configure access to Confluence using Integrated Windows Authentication via a third-party software package called Jespa.

Supportability

This document applies for Sharepoint Connector license holders only. For any Jespa specific issues and support please contact IOPLEX

On this page:

Installation

Step 1. Hook Confluence up to Active Directory

Configure Confluence to synchronise its user repository with the Active Directory domain. See the Confluence documentation on LDAP user management.

Step 2. Download and Install Jespa

  1. Download the Jespa package from the IOPlex website.
  2. Follow the Installation instructions in the Jespa technical documentation to install Jespa into your Confluence web app. Note that you need to follow the full installation guide for Jespa, which includes:
    1. Creating a computer account in the target Active Directory domain for Jespa to authenticate with.
    2. Testing your Jespa configuration with the Jespa example application provided.

Step 3. Configure Confluence

  1. Copy the Jespa and JCIFS libraries from the Jespa example application into your %confluence_install%/confluence/WEB-INF/lib directory.
  2. Open the %confluence_install%/confluence/WEB-INF/web.xml file in a text editor, and make the following modifications to the file:
    1. Locate the section of the file that contains a <filter> with a <filter-name> set to 'login'. Immediately after this login filter, add a new <filter> for Jespa. You should copy the contents of the Jespa <filter> in the example application used in step 2, once the example application is able to authenticate correctly. The changed web.xml file should look like this:
      web.xml
      <filter>
        <filter-name>login</filter-name>
        <filter-class>com.atlassian.seraph.filter.LoginFilter</filter-class>
    </filter>

    <filter>
        <filter-name>jespa</filter-name>
        <filter-class>jespa.http.HttpSecurityFilter</filter-class>

        <init-param>
            <param-name>jespa.log.path</param-name>
            <!-- Enter the path to where you would like the Jespa log to be stored -->
            <param-value>C:\confluence-data\logs\jespa.log</param-value>
        </init-param>

        <init-param>
            <param-name>jespa.log.level</param-name>
            <param-value>2</param-value>
        </init-param>

        <init-param>
            <param-name>jespa.bindstr</param-name>
            <!-- Enter the fully-qualified name of your Active Directory domain -->
            <param-value>atlassian.com</param-value>
        </init-param>

        <init-param>
            <param-name>jespa.service.acctname</param-name>
            <!-- Enter the name of the computer account created in Step 2, followed by the '$' sign, followed by the fully-qualified name of your Active Directory domain -->
            <param-value>CONFLUENCE$@atlassian.com</param-value>
        </init-param>

        <init-param>
            <param-name>jespa.service.password</param-name>
            <!-- Enter the password for the Jespa service account, which was set in Step 2. -->
            <param-value>JCnckGJHDSd28c7Nc</param-value>
        </init-param>

        <!-- Note: also copy over all other default Jespa parameter values from the example web.xml -->
    </filter>
    2. Locate the section of the file that contains a <filter-mapping> with a <filter-name> set to 'login'. Immediately before this filter mapping, add a new <filter-mapping> for Jespa. The changed web.xml file should look like this:
      web.xml
      <filter-mapping>
        <filter-name>jespa</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter-mapping>
        <filter-name>login</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

Step 4. Add Custom Authenticator

By default, Confluence will not understand the pre-authenticated requests that come through via the Jespa filter. In order to allow this authentication information to pass through, you must modify the authenticator module used by Confluence.

  1. Download the customauth-0.4.jar file attached to this page and place it in your %confluence_install%\confluence\WEB-INF\lib directory.
  2. Edit the %confluence_install%\WEB-INF\classes\seraph-config.xml file.
  3. Locate the Authenticator element and comment it out entirely.
  4. Add a new Authenticator element that looks like this: 
    <authenticator class="com.pixelpark.seraph.SSOAuthenticator" />
  5. Save your changes and close the file.
  6. Restart Confluence and ensure that the server initialises successfully.

Step 5. Set Client Browser Options

In order for users to be automatically logged in to Confluence without being prompted for their username and password, the browser must be correctly configured for pass-through authentication.

Please instruct all users to ensure that the recommended browser settings are applied.

RELATED TOPICS
Unable to render {children}. Page not found: SharePoint Connector Installation and Upgrade Guide.