[DRIVERS-2180] Kerberos on Windows should not pass username to SSPI when password is not set Created: 31/Jan/22  Updated: 21/Aug/23

Status: Implementing
Project: Drivers
Component/s: Authentication
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Anna Henningsen Assignee: Jeffrey Yemin
Resolution: Unresolved Votes: 0
Labels: size-small, spec-change
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Issue split
split to GODRIVER-2307 Kerberos on Windows should not pass u... Backlog
split to RUBY-2906 Kerberos on Windows should not pass u... Backlog
split to CDRIVER-4291 Kerberos on Windows should not pass u... Closed
split to CSHARP-4050 Kerberos on Windows should not pass u... Closed
split to CXX-2451 Kerberos on Windows should not pass u... Closed
split to MOTOR-891 Kerberos on Windows should not pass u... Closed
split to NODE-3982 Kerberos on Windows should not pass u... Closed
split to PHPC-2070 Kerberos on Windows should not pass u... Closed
split to PYTHON-3121 Kerberos on Windows should not pass u... Closed
split to RUST-1181 Kerberos on Windows should not pass u... Closed
split to JAVA-4491 Kerberos on Windows should not pass u... Closed
Related
related to SERVER-45050 Change Windows Kerberos client to use... Closed
Driver Changes: Needed
Downstream Changes Summary:

All drivers should verify this behavior. It's likely that some drivers are already doing the right thing.

Start date:
Driver Compliance:
Key Status/Resolution FixVersion
NODE-3982 Done kerberos-2.0.0
CDRIVER-4291 Fixed 1.24.0, 1.23.6
CXX-2451 Fixed 3.8.0
CSHARP-4050 Done
GODRIVER-2307 Backlog
JAVA-4491 Works as Designed
MOTOR-891 Won't Do
PYTHON-3121 Won't Do
PHPC-2070 Fixed 1.16.0
RUBY-2906 Backlog
RUST-1181 Won't Do
SWIFT-1486 Won't Do

 Description   

Summary

What is the problem or use case, what are we trying to achieve?

Users are not able to connect using Kerberos on Windows when specifying only a username and no password. This is happening because the Node.js driver (and possibly/likely other drivers) differ from the behavior of the legacy shell in this regard, and we think that the legacy shell behavior is the preferable one. Specifically:

If a username without a password is provided, the legacy shell passes that username to the server, but not to the Windows SSPI API, i.e. from SSPI it fetches the credentials of the current user regardless of the specified username. This was an intentional choice as part of SERVER-45050 (compare https://github.com/mongodb/mongo/blob/5bbadc66ed462aed3cc4f5635c5003da6171c25d/src/mongo/client/sasl_sspi.cpp#L182 and https://github.com/mongodb-js/kerberos/blob/b536f1a921985126bb462ae264f94f5a8319d00b/src/win32/kerberos_sspi.cc#L82).

Motivation

Who is the affected end user?

Users of Kerberos authentication on Windows.

How does this affect the end user?

Users don't know why a connection string/set of options that works with the legacy shell does not work with drivers or mongosh.

How likely is it that this problem or use case will occur?

I imagine it's fairly common for the subset of users that use Kerberos on Windows.

If the problem does occur, what are the consequences and how severe are they?

They end up being stumped about being unable to connect.

Is this issue urgent?

Not particularly, but with mongosh fully replacing the legacy shell in the 6.0 server release, it would be good to have this resolved before then.

Is this ticket required by a downstream team?

This is split from MONGOSH-1059.

Is this ticket only for tests?

No.



 Comments   
Comment by Githook User [ 11/Feb/22 ]

Author:

{'name': 'Anna Henningsen', 'email': 'anna.henningsen@mongodb.com', 'username': 'addaleax'}

Message: DRIVERS-2180 Clarify Kerberos on Windows credentials passing (#1142)
Branch: master
https://github.com/mongodb/specifications/commit/4faf7f65288344499de8e202d397acf376201f95

Generated at Thu Feb 08 08:24:56 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.