[SERVER-58447] mongo Will Attempt to Connect to System Certificate Store on Windows, Even if File-Based Cert and Key Pair is Used Created: 12/Jul/21 Updated: 16/Oct/23 Resolved: 16/Oct/23 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | 4.0.18 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Tom Slattery | Assignee: | Adrian Gonzalez Montemayor |
| Resolution: | Cannot Reproduce | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
| Assigned Teams: |
Server Security
|
| Operating System: | ALL |
| Steps To Reproduce: | Run mongoDB with the attached .conf file as a domain user with Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny Access to This Computer From the Network set for the user or group, or remove the user from Access this Computer from the Network. These policies will need to be set on the Domain Controller, not the database server, and the Domain Controller and Database Server will need to be separate devices. This has been observed on mongoDB 4.0.18. |
| Sprint: | Security 2023-05-29, Security 2023-06-12, Security 2023-07-10, Security 2023-07-24, Security 2023-08-07, Security 2023-10-02, Security 2023-10-16, Security 2023-10-30 |
| Participants: |
| Description |
|
When running mongoDB v4.0+ under a domain user account, it will attempt to connect to the system certificate store, even if not configured to be used in the .conf file. This will cause the server to make a type 3 connection to the domain controller. If this connection is disallowed by group policy, mongoDB will crash with the following error:
This does not affect local accounts or the System account. |
| Comments |
| Comment by Adrian Gonzalez Montemayor [ 16/Oct/23 ] |
|
I've been trying to reproduce this without any luck. I took the following steps:
The ticket will be closed while we wait for more steps or logs to reproduce. |
| Comment by Adrian Gonzalez Montemayor [ 26/Sep/23 ] |
|
liam.briggs@aspentech.com Sorry for the delay but can you still provide logs? Thanks |
| Comment by Liam Briggs [ 18/May/23 ] |
|
I thought this may be cause by using schannel as the SSL provider, but after compiling 4.2 with OpenSSL as the provider I ran into the same issue with the same error. |
| Comment by Liam Briggs [ 09/May/23 ] |
|
eric.sedor@mongodb.com I'm also facing this issue and have been able to reproduce it on version 4.0.28 and can provide logs. |
| Comment by Eric Sedor [ 21/Jul/21 ] |
|
Thanks tom.slattery@osii.com, I'll pass this to an appropriate team to consider. For completeness sake can you please upload the full mongod.log file for a failed startup attempt including that error to this secure upload portal? Files uploaded to this portal are visible only to MongoDB employees and are routinely deleted after some time. |
| Comment by Tom Slattery [ 12/Jul/21 ] |
|
Please note - this can be downgraded in severity. This is not a major defect. |