[COMPASS-4494] AcquireCredentialsHandle: The token supplied to the function is invalid Created: 11/Nov/20  Updated: 29/Oct/23  Resolved: 09/Dec/20

Status: Closed
Project: Compass
Component/s: Compass
Affects Version/s: 1.23.0
Fix Version/s: 1.24.1

Type: Bug Priority: Major - P3
Reporter: Nils Dehn Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows 7 Enterprise SP1
running in a Active Directory domain forest


Attachments: PNG File image-2020-11-11-11-47-33-584.png     PNG File image-2020-11-11-11-48-37-293.png     PNG File image-2020-11-11-11-50-32-520.png     PNG File image-2020-11-11-11-51-40-723.png    
Documentation Changes: Not Needed

 Description   

Problem Description

When logging in with Kerberos error messages on token validity show up which differ dependent on using url or explicit parametrization. App is then non-functional. Despite error message embedded MongoDB shell seems to work. Issuing a valid command through shell and refreshing the data makes the app behalf normally.

 

Steps to Reproduce

When logging from New Connection screen with url

 

mongodb://<user>%40<REALM>:@mongodb:27017/?gssapiServiceName=mongodb&authMechanism=GSSAPI&readPreference=primary&authSource=%24external&appname=MongoDB%20Compass&ssl=false

it shows "AcquireCredentialsHandle: The token supplied to the function is invalid"

When then switching to "Fill in connection fields" and connect from there the

screen switches to normal view with error message "An error occurred while loading navigation: InitializeSecurityContext: The token supplied to the function is invalid" on top.

However, MongoSH Beta at the botton is in fact connected.

 

View -> reload data

has not effect

 

Issuing a valid command in MongoSH and after that retrying

View -> reload data

populated the upper part of the screen and the app works as expected from then on. 

Expected Results

login via url or parameters should behave the same

login with valid Kerberos credentials should work

Actual Results

login via url or parameters behaves different

login with valid Kerberos credentials does only work on embedded shell

Additional Notes

I verified the correct Kerberos setup on server side with a mongosh connection from a Linux machine using GSSAPI. Also server log indicates that GSSAPI handshake with compass did complete.

 

 



 Comments   
Comment by Nils Dehn [ 18/Nov/20 ]

Hi  Maurizio,

I now did test with 1.24.0-beta.0 and that works much better. No more error messages. I will use it now for some days to check stability.

Two remarks though for Windows Kerberos:

  • the Password field should be hidden. By definition it needs to be empty.
  • the Username field should be optional and when empty default to the logged-in Kerberos Principal Name. Windows knows it anyway.

 

Thanks for your support

 

Comment by Maurizio Casimirri [ 11/Nov/20 ]

Hi mail@nils-dehn.de thanks for reporting this, does it happen with 1.24.0-beta.0? 1.24.0-beta.0 contains some fixes for Kerberos.

Generated at Wed Feb 07 22:36:33 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.