What is the problem or use case, what are we trying to achieve?
Users are not able to connect using Kerberos on Windows when specifying only a username and no password. This is happening because the Node.js driver (and possibly/likely other drivers) differ from the behavior of the legacy shell in this regard, and we think that the legacy shell behavior is the preferable one. Specifically:
If a username without a password is provided, the legacy shell passes that username to the server, but not to the Windows SSPI API, i.e. from SSPI it fetches the credentials of the current user regardless of the specified username. This was an intentional choice as part of
SERVER-45050 (compare https://github.com/mongodb/mongo/blob/5bbadc66ed462aed3cc4f5635c5003da6171c25d/src/mongo/client/sasl_sspi.cpp#L182 and https://github.com/mongodb-js/kerberos/blob/b536f1a921985126bb462ae264f94f5a8319d00b/src/win32/kerberos_sspi.cc#L82).
Who is the affected end user?
Users of Kerberos authentication on Windows.
How does this affect the end user?
Users don't know why a connection string/set of options that works with the legacy shell does not work with drivers or mongosh.
How likely is it that this problem or use case will occur?
I imagine it's fairly common for the subset of users that use Kerberos on Windows.
If the problem does occur, what are the consequences and how severe are they?
They end up being stumped about being unable to connect.
Is this issue urgent?
Not particularly, but with mongosh fully replacing the legacy shell in the 6.0 server release, it would be good to have this resolved before then.
Is this ticket required by a downstream team?
This is split from MONGOSH-1059.
Is this ticket only for tests?