[COMPASS-4272] Kerberos Authentication Issue Created: 04/May/20  Updated: 29/Oct/23  Resolved: 25/Sep/20

Status: Closed
Project: Compass
Component/s: Connectivity
Affects Version/s: 1.16.0, 1.17.0, 1.18.0, 1.19.0, 1.20.0, 1.21.0
Fix Version/s: 1.23.0

Type: Bug Priority: Major - P3
Reporter: Aniq Pirzada Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: JPEG File error.jpg    
Issue Links:
Depends
depends on NODE-2754 Publish new version of kerberos Closed
Documentation Changes: Not Needed
Sprint: Iteration Dragon Fruit, Iteration Elderberry, Iteration Fig, Iteration Guanábana, Iteration Huckleberry, Iteration Icaco, Iteration Jackfruit, Iteration Lime, Iteration Maracuja

 Description   

All MongoDB Compass versions after 1.15.0 do not allow me to connect.

I connect to the DB using the following fields:

Hostname: <hostname>

Port: <port>

Authentication: Kerberos

Principle: <userid>@<domain>

Password: <password>

Service Name: <service name>

SSL: Server Validation

 

and I am presented with 'AcquireCredentialsHandle: The token supplied to the function is invalid'

 

 

This has been the issue on all versions after 1.16.0.

The last working version is 1.15.0

 

 

 



 Comments   
Comment by Maurizio Casimirri [ 10/Aug/20 ]

pirzadaaniq@gmail.com we are currently working with the driver team to fix another bug with kerberos connectivity so we could use new driver version with kerberos and in the meanwhile we will debug this issue separately. If you could, having these informations would help us:

  • what is the version of MongoDB server?
  • which os you are connecting from?
  • is the server setup with LDAP / kerberos and SSL?
  • are you still successfully using Compass 1.15.0?
  • can you confirm that you are able to connect with the same credentials and certificate using the enterprise mongo shell?
  • can you confirm that your connection is not coming from favorites as well?
Comment by Aniq Pirzada [ 28/Jul/20 ]

I just tried the following on 1.20.0

 

Hostname: <hostname> 
Port: <port> 
Authentication: Kerberos 
Principle: <userid>@<domain> 
Password: BLANK 
Service Name: <service name>
SSL: Server Validation 
Certificate Authority: <.Cer>
Hostname: <hostname>

 

and I get

Server selection timed out after 30000ms

 

I get the same if I provide a password too.

 

 

-----------

On version 1.18.0

Same details as above i am getting

Authentication Fail

 

Comment by Maurizio Casimirri [ 28/Jul/20 ]

pirzadaaniq@gmail.com thanks for your reply! Any version later than 1.20.x unfortunately is affected by another issue with kerberos, so is not easy to isolate this bug and relate it to kerberos or TLS.

We will try to reproduce it on 1.20 without the password, which is know to work with kerberos.

Comment by Aniq Pirzada [ 28/Jul/20 ]

I cannot use Keberos authentication on any version after 1.15

Currently tried the following version: 1.21.2

 

Hostname: <hostname>
Port: <port>
Authentication: Kerberos
Principle: <userid>@<domain>
Password: <password>
Service Name: <service name>
SSL: Server Validation
Certificate Authority: <.Cer>

 

 

and I am getting: 

AcquireCredentialsHandle: The token supplied to the function is invalid

but the same details works perfectly fine on MongoCompass 1.15.0

 

 

Comment by Maurizio Casimirri [ 28/Jul/20 ]

> If I give no password on Keberos (only usename) I get: 'InitializeSecurityContext: The specified target is unkown or unreachable'

pirzadaaniq@gmail.com The error: InitializeSecurityContext: The specified target is unkown or unreachable. Is a known issue (https://jira.mongodb.org/projects/HELP/queues/issue/COMPASS-4319) with >= 1.21, does it happen in 1.20 without the password?

https://jira.mongodb.org/projects/HELP/queues/issue/COMPASS-4319 is currently being solved, if you can connect without the password in 1.20 then the fix for COMPASS-4319 would also solve this one.

Comment by Aniq Pirzada [ 11/May/20 ]

If I change Authentication to 'None' I can connect and get the error: 'An error occurred while loading navigation: there are no users authenticated'

 

If I give no password on Keberos (only usename) I get: 'InitializeSecurityContext: The specified target is unkown or unreachable'

Comment by Massimiliano Marcon [ 11/May/20 ]

pirzadaaniq@gmail.com can you try without specifying a password?

Generated at Wed Feb 07 22:35:47 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.