Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-58447

mongo Will Attempt to Connect to System Certificate Store on Windows, Even if File-Based Cert and Key Pair is Used

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Cannot Reproduce
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 4.0.18
    • Component/s: None
    • Labels:
      None
    • Server Security
    • ALL
    • Hide

      Run mongoDB with the attached .conf file as a domain user with Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny Access to This Computer From the Network set for the user or group, or remove the user from Access this Computer from the Network. These policies will need to be set on the Domain Controller, not the database server, and the Domain Controller and Database Server will need to be separate devices. This has been observed on mongoDB 4.0.18.

      Show
      Run mongoDB with the attached .conf file as a domain user with Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny Access to This Computer From the Network  set for the user or group, or remove the user from  Access this Computer from the Network . These policies will need to be set on the Domain Controller, not the database server, and the Domain Controller and Database Server will need to be separate devices. This has been observed on mongoDB 4.0.18.
    • Security 2023-05-29, Security 2023-06-12, Security 2023-07-10, Security 2023-07-24, Security 2023-08-07, Security 2023-10-02, Security 2023-10-16, Security 2023-10-30

      When running mongoDB v4.0+ under a domain user account, it will attempt to connect to the system certificate store, even if not configured to be used in the .conf file. This will cause the server to make a type 3 connection to the domain controller. If this connection is disallowed by group policy, mongoDB will crash with the following error:

      Failed global initialization: InvalidSSLConfiguration: CryptAcquireContextW failed The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation

      This does not affect local accounts or the System account.

        1. mongo.conf
          0.7 kB

            Assignee:
            adrian.gonzalez@mongodb.com Adrian Gonzalez Montemayor
            Reporter:
            tom.slattery@osii.com Tom Slattery
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: