Hey Jason,
we experience the same thing. MMS-Automation fails to connect 100% of the time. And our developers can’t connect, while I can using the same connection string and program (MongoDB Compass) .
Every time it failed it was because of “BadValue: SCRAM-SHA-256 authentication is disabled”.
I am rather new to mongo and specifically atlas. I tried to find the version of the drivers but I was able to find a way to get it. The cluster is Mongo version 6.0.1 and my Compass version is 1.33.0 (stable).
MMS-Automation fails to connect 100% of the time. And our developers can’t connect, while I can using the same connection string and program (MongoDB Compass) .
Every time it failed it was because of “BadValue: SCRAM-SHA-256 authentication is disabled”.
I believe the MMS-Automation connection failure you have mentioned may not necessarily be a connection failure. As described in the link post for this topic:
The source of this message is that mms-automation user initially attempts authentication using SCRAM-SHA-256 which Atlas doesn’t support, causing the “BadValue: SCRAM-SHA-256 authentication is disabled” message, before falling back to SCRAM-SHA-1.
Would you be able to provide a screenshot of that particular error message from Compass?
Additionally, could you describe the steps you’re using to connect via Compass?
I have tried connecting through the internet using the same Compass version to my own test cluster and was not able to reproduce what you are seeing (No BadValue: SCRAM-SHA-256 message + no connection failure).
Please correct me if I’m wrong, SCRAM-SHA-256 is the default authentication method for MongoDB community edition starting in version 4.0 (since SHA-256 is more reliable and secure than SHA-1) but not for MongoDB Atlas? And therefore, since I’m using the latest node driver, it tries the default SHA-256 authentication but since Atlas does not support it, it then falls back to SHA-1?
Thanks for your replay. My question was rather regarding my concern that Atlas is not supporting it, when the community edition does (also, the drivers defaults to SHA256). From a security perspective, shouldn’t it be a concern?
As mentioned in the linked post in my previous reply, MongoDB authentication protocols do not use SHA-1 as a raw hash function for passwords or digital signatures, but rather as an HMAC construction in, e.g., SASL SCRAM-SHA-1. While many common uses of SHA-1 have been deprecated or sunset by standards organizations, these do not typically apply to HMAC functions. As of February, 2022, there are no known preimage attacks against HMAC-SHA-1 generally or SCRAM-SHA-1 specifically, over a secure TLS network connection (which is required on Atlas). Current controlling NIST guidance confirms this:
“[A]gencies may use SHA-1 for the following applications: […] generating and verifying hash-based message authentication codes (HMACs), key derivation functions (KDFs), and random bit/number generation.” (Hash Functions | CSRC)
Please correct me if I’m wrong, SCRAM-SHA-256 is the default authentication method for MongoDB community edition starting in version 4.0 (since SHA-256 is more reliable and secure than SHA-1) but not for MongoDB Atlas? And therefore, since I’m using the latest node driver, it tries the default SHA-256 authentication but since Atlas does not support it, it then falls back to SHA-1?
