[SERVER-45050] Change Windows Kerberos client to use default credentials when no password is specified Created: 10/Dec/19  Updated: 29/Oct/23  Resolved: 12/Dec/19

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.2.3, 4.0.18, 3.6 Required

Type: Bug Priority: Major - P3
Reporter: Mark Benvenuto Assignee: Mark Benvenuto
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Related
is related to DRIVERS-2180 Kerberos on Windows should not pass u... Implementing
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.2, v4.0, v3.6
Sprint: Security 2019-12-30
Participants:
Case:

 Description   

The Windows Kerberos client callsĀ AcquireCredentialsHandle with a populated SEC_WINNT_AUTH_IDENTITY even when the user provides no password. In some customer setups, AcquireCredentialsHandle returns SEC_E_NO_CREDENTIALS as a result because the mongo client is asking for Windows to return something other then the default credentials.

While I cannot repro this issue locally, we have confirmed with the customers that if AcquireCredentialsHandle is called without SEC_WINNT_AUTH_IDENTITY, then clients can successfully connect. Both a patched shell and the node.js driver can successfully connect in these cases.

The fix is to not pass SEC_WINNT_AUTH_IDENTITY to AcquireCredentialsHandle unless the user specifies a password.



 Comments   
Comment by Githook User [ 27/Mar/20 ]

Author:

{'name': 'Mark Benvenuto', 'username': 'markbenvenuto', 'email': 'mark.benvenuto@mongodb.com'}

Message: SERVER-45050 Change Windows Kerberos client to use default credentials when no password is specified
Branch: v4.0
https://github.com/mongodb/mongo/commit/a04ac059ae692aadc28ba77e61c97a23d0ed2069

Comment by Githook User [ 17/Dec/19 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-45050 Change Windows Kerberos client to use default credentials when no password is specified

(cherry picked from commit 9da59000b4a36e2a2cfeb92e201cf32b4f863299)
Branch: v4.2
https://github.com/mongodb/mongo/commit/715ef3d29d91112291fb44064637f5264534b10b

Comment by Githook User [ 12/Dec/19 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-45050 Change Windows Kerberos client to use default credentials when no password is specified
Branch: master
https://github.com/mongodb/mongo/commit/9da59000b4a36e2a2cfeb92e201cf32b4f863299

Generated at Thu Feb 08 05:07:44 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.