[CXX-121] Kerberos authentication does not work on Windows 8.1 Created: 06/Mar/14  Updated: 10/Apr/14  Resolved: 07/Mar/14

Status: Closed
Project: C++ Driver
Component/s: None
Affects Version/s: legacy-0.0-26compat-2.6.0-rc1
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Kaloian Manassiev Assignee: Unassigned
Resolution: Done Votes: 0
Labels: 26qa, legacy-cxx, windows
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows 8.1


Attachments: Text File simple_client_demo_auth.cpp    

 Description   

Attempting to do Kerberos authentication using the C++ client on Windows 8.1 fails at the AcquireCredentialsHandle stage with error "No credentials are available in the security package".

The issue is not reproducible on Windows Server 2012 R2.

The attached sample client app (which will be checked in eventually in the C++ client repo) reproduces the problem.

To build this program on windows, use the following commands from VC++ commands shell (may need to be tweaked for the corresponding environment):

scons --sharedclient --dynamic-windows --release --full  --prefix=C:\amd64ent --use-system-boost --cpppath=C:\boost_1_55_0 --extrapath=C:\openssl,C:\sasl,C:\snmp --libpath=C:\boost_1_55_0\lib64-msvc-[10|11|12].0 --variant-dir=m --use-sasl-client install-mongoclient --64 -j 4 --mute
 
set PATH=%PATH%;C:\x86std\lib;C:\amd64std\lib;C:\x86ent\lib;C:\amd64ent\lib;c:\mongodb
 
cl.exe /nologo /MD /EHsc -Ic:\mongo\src -Ic:\boost_1_55_0 -Ic:\amd64std simple_client_demo_auth.cpp /link /LIBPATH:c:\boost_1_55_0\lib32-msvc-10.0 c:\amd64std\lib\mongoclient.lib



 Comments   
Comment by Kaloian Manassiev [ 07/Mar/14 ]

The problem was in the way I am constructing the authentication BSON object. For the password field, it should say "pwd" and not "password".

BSONObjBuilder b;
b << "mechanism" << argv[2] <<
        "user" << argv[3] <<
        "password" << argv[4] <<
        "clientLogLevel" << 1;

The client code should be fixed to give better messages, if there are invalid elements in the authentication BSON.

Comment by Kaloian Manassiev [ 06/Mar/14 ]

I am testing against MIT KDC sever, so I am not part of domain. The authentication should work when the client host is not logged into a domain.

The same code works on a Windows 2012 server, which is also not joined to a domain (and not a domain controller).

I am not a Kerberos expert, but I suspect the problem might stem from the way we call AcquireCredentialsHandle, passing the principal as NULL, which causes Windows 8.1 to look into the cached credentials instead of using the one passed in on the command line.

Comment by Eric Milkie [ 06/Mar/14 ]

I received that error until I joined my computer to a domain and logged in as a domain user; was that true for your test?

Generated at Wed Feb 07 21:58:16 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.