I noticed, while investigating CDRIVER-2522, that the mongo shell and the MongoDB drivers have different ways to handle the situation where a server's hostname differs from the hostname the client should use for Kerberos authentication.

Drivers support CANONICALIZE_HOST_NAME, whose behavior is described in the Auth Spec. It is configured in the URI like:

mongodb://user@host/?authMechanism=GSSAPI&authMechanismProperties=CANONICALIZE_HOST_NAME:true

The shell is different; it permits users to set the GSSAPI hostname directly:

mongo <options> --gssapiHostname foo

There's a comment in mongo_uri_connect.cpp, "CANONICALIZE_HOST_NAME is currently unsupported".

I propose adding to the MongoDB client code the ability to recognize the CANONICALIZE_HOST_NAME option in the URI and canonicalize hostnames, following the Auth Spec. I have code in the C Driver that implements it for Windows and Unix.