Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-13885

Kerberos Authentication on Windows from mongo client only works with FQDN

    • Fully Compatible
    • ALL
    • Hide

      Using the Mongo command line client supplied in the windows enterprise build of 2.6.1, connect using Kerberos authentication without supplying a FQDN in the URL.

      Show
      Using the Mongo command line client supplied in the windows enterprise build of 2.6.1, connect using Kerberos authentication without supplying a FQDN in the URL.
    • Security 8 08/28/15, Security 9 (09/18/15), Security A 10/09/15

      When authenticating from a Windows 7 2.6.1 enterprise client to a MongoDB 2.4.9 enterprise instance using Kerberos, the connection will only succeed if the FQDN is used in the URL instead of the short host name. Clients on Linux seem unaffected by this problem.

      Example 1 - Using FQDN in the URL and everything works;

      C:\Apps\MongoDB\2.6.1\bin>mongo host10601.intranet.mydomain.com:27118/admin -
      authenticationDatabase='$external' -authenticationMechanism=GSSAPI -username mclennad@INTRANET.MYDOMAIN.COM
      MongoDB shell version: 2.6.1
      connecting to: host10601.intranet.mydomain.com:27118/admin
      >

      Example 2 - Using short name and get a GSSAPI error;

      C:\Apps\MongoDB\2.6.1\bin>mongo host10601:27118/admin -authenticationDatabase=
      '$external' -authenticationMechanism=GSSAPI -username mclennad@INTRANET.MYDOMAIN.COM
      MongoDB shell version: 2.6.1
      connecting to: host10601:27118/admin
      2014-05-08T18:00:31.602-0400 Error: 17 SASL(-1): generic failure: SSPI: InitializeSecurityContext: The specified target is unknown or unreachable
      at src/mongo/shell/db.js:1210
      exception: login failed

      Example 3 - DNS lookup of short name showing that FQDN is available;
      C:\Apps\MongoDB\2.6.1\bin>nslookup host10601
      Server: host013.mydomain.com
      Address: 10.X.X.X

      Non-authoritative answer:
      Name: host10601.intranet.mydomain.com
      Address: 10.Y.Y.Y

            Assignee:
            spencer.jackson@mongodb.com Spencer Jackson
            Reporter:
            david.mclennan@barclays.com David McLennan
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: