This bug was introduced recently in 2.13 when the driver added support for dynamically determining which authentication mechanism to use when none is provided. Consider the following sequence of events:

• Replica set created with host names a, b, c
• MongoClient created with seed list a1, b1, c1
• Application thread executes an query against a secondary
• Application thread waits for a secondary
• Monitor thread notifies that a1 is secondary
• Application thread selects the a1 server
• Application thread gets a connection to a1
• Monitor thread notifies that b1 is primary, and hosts list is actually a, b, c. So a1, b1, c1 are removed from the cluster description
• Application thread tries to get a1's server description from the cluster description, assuming that it must still be there, but as it's been removed, it gets null.

Result is:

 
java.lang.NullPointerException
	at com.mongodb.DBPort.authenticate(DBPort.java:367)
	at com.mongodb.DBPort.checkAuth(DBPort.java:402)
	at com.mongodb.DBTCPConnector.innerCall(DBTCPConnector.java:289)
	at com.mongodb.DBTCPConnector.call(DBTCPConnector.java:269)

Workaround:

Use the same host names in the MongoClient seed list as are used in the replica set configuration