Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-6559

Improve Kerberos Authentication page



    • Type: Bug
    • Status: Open
    • Priority: Major - P3
    • Resolution: Unresolved
    • Affects Version/s: mongodb-3.0
    • Fix Version/s: None
    • Component/s: kb
    • Labels:
    • Last comment by Customer:
    • Story Points:


      The "Troubleshoot Kerberos Authentication" page describes some failure conditions which Kerberos deployments may encounter. There are a few more conditions which seems to pop up when using Active Directory with Linux MongoDB servers. Maybe we should extend this page, to cover some configuration problems that manifest when integrating with KDCs.

      Here are some things I think we should mention:

      • Linux krb5 keytabs must contain principal names which end in @REALM, where REALM is the all capital string representation of the realm. SPNs can be validated by running `setspn -Q <SPN>` on AD. If correctly configured, this will return one DN representing the account which the SPN is attached to. This SPN, suffixed with @REALM should appear in the keytab when running `klist -k <keytab>` on Linux.
      • When using AD as a KDC, MongoDB's service account must be a user account. It cannot be a machine account.
      • If using AES encryption with Active Directory, make sure that the ability to use AES is either enabled on the MongoDB service account via the msDS-SupportedEncryptionTypes property, or via policy setting “Network Security: Configure Encryption types allowed for Kerberos”
      • ktutil on Linux does not use the same algorithm AD uses to generate salts. The options for avoiding this problem are:
        • (Not recommended) Use RC4-HMAC, which does not use a salt.
        • Generate the keytab file on the AD server, and move resulting file to the linux server:

          ktpass /out <outfile.keytab> /princ <spn>@<REALM> /mapuser <current userPrincipalName> /crypto ALL /ptype KRB5_NT_PRINCIPAL +rndpass

          Note that this will change the userPrincipalName to the value in /princ.

        • Use ktutil on Linux, and force it to use the correct salt. Generate a keytab entry, using the "userPrincipalName" property as the principal name. Then, hexdump the key. Create a new keytab entry, using <spn>@<REALM> as the principal name, and use the hex dumped key. This looks like:

          ktutil:  add_entry -password -p <userPrincipalName>@<REALM> -e aes256-cts-hmac-sha1-96 -k <KVNO>
          Password for <userPrincipalName@REALM>: 
          ktutil:  list -k
          slot KVNO Principal
          ---- ---- ---------------------------------------------------------------------
             1    <KVNO> <userPrincipalName@REALM>(0x<HEXDUMP>)
          ktutil:  add_entry -key -p <spn>@<REALM> -e aes256-cts-hmac-sha1-96 -k <KVNO>
          Key for <spn>@<REALM (hex): <HEXDUMP>
          ktutil:  write_kt mongodb_ad.keytab




            ravind.kumar Ravind Kumar (Inactive)
            spencer.jackson Spencer Jackson
            Last commenter:
            Ravind Kumar Ravind Kumar (Inactive)
            0 Vote for this issue
            7 Start watching this issue


              Days since reply:
              5 years, 25 weeks, 4 days ago
              Date of 1st Reply: