[SERVER-58447] mongo Will Attempt to Connect to System Certificate Store on Windows, Even if File-Based Cert and Key Pair is Used Created: 12/Jul/21  Updated: 16/Oct/23  Resolved: 16/Oct/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 4.0.18
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Tom Slattery Assignee: Adrian Gonzalez Montemayor
Resolution: Cannot Reproduce Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File mongo.conf    
Assigned Teams:
Server Security
Operating System: ALL
Steps To Reproduce:

Run mongoDB with the attached .conf file as a domain user with Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny Access to This Computer From the Network set for the user or group, or remove the user from Access this Computer from the Network. These policies will need to be set on the Domain Controller, not the database server, and the Domain Controller and Database Server will need to be separate devices. This has been observed on mongoDB 4.0.18.

Sprint: Security 2023-05-29, Security 2023-06-12, Security 2023-07-10, Security 2023-07-24, Security 2023-08-07, Security 2023-10-02, Security 2023-10-16, Security 2023-10-30
Participants:

 Description   

When running mongoDB v4.0+ under a domain user account, it will attempt to connect to the system certificate store, even if not configured to be used in the .conf file. This will cause the server to make a type 3 connection to the domain controller. If this connection is disallowed by group policy, mongoDB will crash with the following error:

Failed global initialization: InvalidSSLConfiguration: CryptAcquireContextW failed The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation

This does not affect local accounts or the System account.



 Comments   
Comment by Adrian Gonzalez Montemayor [ 16/Oct/23 ]

I've been trying to reproduce this without any luck. I took the following steps:

  1. I spawned a windows base 2016 ec2 for a domain controller server
  2. I spawned a windows base 2016 ec2 for the domain user
  3. Created AD and testuser in domain controller
  4. Added to testuser Deny access to this computer from the network policy
  5. Couldn't log in through RDP using testuser because of the policy so logged in using Administrator
  6. Launched a powershell using testuser
  7. Run the binaries using the provided configuration

The ticket will be closed while we wait for more steps or logs to reproduce.

Comment by Adrian Gonzalez Montemayor [ 26/Sep/23 ]

liam.briggs@aspentech.com Sorry for the delay but can you still provide logs? Thanks

Comment by Liam Briggs [ 18/May/23 ]

I thought this may be cause by using schannel as the SSL provider, but after compiling 4.2 with OpenSSL as the provider I ran into the same issue with the same error. 

Comment by Liam Briggs [ 09/May/23 ]

eric.sedor@mongodb.com I'm also facing this issue and have been able to reproduce it on version 4.0.28 and can provide logs. 

Comment by Eric Sedor [ 21/Jul/21 ]

Thanks tom.slattery@osii.com, I'll pass this to an appropriate team to consider.

For completeness sake can you please upload the full mongod.log file for a failed startup attempt including that error to this secure upload portal? Files uploaded to this portal are visible only to MongoDB employees and are routinely deleted after some time.

Comment by Tom Slattery [ 12/Jul/21 ]

Please note - this can be downgraded in severity. This is not a major defect.

Generated at Thu Feb 08 05:44:32 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.