[CSHARP-1052] Connecting to MongoDb via C# Driver with Kerberos Auth and a Keytab Created: 27/Aug/14  Updated: 05/Apr/19  Resolved: 04/Apr/15

Status: Closed
Project: C# Driver
Component/s: Security
Affects Version/s: 2.0
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Sukh Chana Assignee: Unassigned
Resolution: Done Votes: 0
Labels: question
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

MongoDb service is running on a Red Hat Enterprise Linux box in our internal cloud.

I am trying to connect to it using kerberos, from a Windows machine.



 Description   

Hi,

I am having trouble connecting to MongoDb using kerberos authentication.

I have created a keytab and added it to the keytabs folder.

My installation of MongoDb is located at:
/opt/mongodb/

I can generate a token from the Kerberos server using kinit and specifying the keytab located at: /opt/mongodb/keytab, this successfully generates a keytab for the FID: ost_linux_mongo/vm-1b98-f53f.nam.nsroot.net

kinit -k -t ost_linux_mongo.keytab ost_linux_mongo/vm-1b98-f53f.nam.nsroot.net

Through the shell, I can then login to the database using the following command:-

./bin/mongo --authenticationMechanism=GSSAPI --authenticationDatabase=\$external -u ost_linux_mongo/vm-1b98-f53f.nam.nsroot.net@NAMUXDEV.DYN.NSROOT.NET vm-1b98-f53f:32017/admin --ssl

The login works without issues.

However the issue is that when I attempt the same via the windows machine using the following config:-

var credential = MongoCredential.CreateGssapiCredential("ost_linux_mongo/vm-1b98-f53f.nam.nsroot.net@NAMUXDEV.DYN.NSROOT.NET","pass");

var settings = new MongoClientSettings
{
Credentials = new[]

{ credential }

,
Server = new MongoServerAddress("vm-1b98-f53f.nam.nsroot.net", 32017),

UseSsl = true,
VerifySslCertificate = false,
};

client = new MongoClient(settings);
server = client.GetServer();
return server.GetDatabase("admin");

Initialization method DataStatsTest.MongoDbCrudTest.SetUp threw exception. MongoDB.Driver.MongoConnectionException: MongoDB.Driver.MongoConnectionException: Unable to connect to server vm-1b98-f53f.nam.nsroot.net:32017: Unable to initialize security context. Ensure the username and password are correct.. ---> MongoDB.Driver.Communication.Security.MongoSecurityException: Unable to initialize security context. Ensure the username and password are correct. ---> MongoDB.Driver.Communication.Security.Mechanisms.Sspi.Win32Exception: No authority could be contacted for authentication. The domain name of the authenticating party could be wrong, the domain could be unreachable, or there might have been a trust relationship failure..



 Comments   
Comment by Craig Wilson [ 27/Aug/14 ]

Hi Sukh,

On windows, the .NET driver uses SSPI to handle kerberos negotiations. As such, there is no keytab on windows, but rather a username and password. It appears as though you have specified everything correctly via code, but chances are your windows machine hasn't been setup.

1. Are you running Active Directory or a linux based kdc?
2. If you are running Active Directory, is your machine domain joined to NAMUXDEV.DYN.NSROOT.NET?

Craig

Generated at Wed Feb 07 21:38:32 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.