“BadValue: SCRAM-SHA-256 authentication is disabled”

Hey Jason,
we experience the same thing. MMS-Automation fails to connect 100% of the time. And our developers can’t connect, while I can using the same connection string and program (MongoDB Compass) .
Every time it failed it was because of “BadValue: SCRAM-SHA-256 authentication is disabled”.

I am rather new to mongo and specifically atlas. I tried to find the version of the drivers but I was able to find a way to get it. The cluster is Mongo version 6.0.1 and my Compass version is 1.33.0 (stable).

MMS-Automation fails to connect 100% of the time. And our developers can’t connect, while I can using the same connection string and program (MongoDB Compass) .
Every time it failed it was because of “BadValue: SCRAM-SHA-256 authentication is disabled”.

I believe the MMS-Automation connection failure you have mentioned may not necessarily be a connection failure. As described in the link post for this topic:

The source of this message is that mms-automation user initially attempts authentication using SCRAM-SHA-256 which Atlas doesn’t support, causing the “BadValue: SCRAM-SHA-256 authentication is disabled” message, before falling back to SCRAM-SHA-1.

Would you be able to provide a screenshot of that particular error message from Compass?

Additionally, could you describe the steps you’re using to connect via Compass?

I have tried connecting through the internet using the same Compass version to my own test cluster and was not able to reproduce what you are seeing (No BadValue: SCRAM-SHA-256 message + no connection failure).

Regards,
Jason

1 Like

:thinking: Please correct me if I’m wrong, SCRAM-SHA-256 is the default authentication method for MongoDB community edition starting in version 4.0 (since SHA-256 is more reliable and secure than SHA-1) but not for MongoDB Atlas? And therefore, since I’m using the latest node driver, it tries the default SHA-256 authentication but since Atlas does not support it, it then falls back to SHA-1?

Hi @Amanda_van_Zyl - Firstly, welcome to the community :slight_smile:

SCRAM-SHA-256 is the default authentication method for MongoDB community edition starting in version 4.0

SCRAM is the default authentication mechanism for MongoDB. You can set the authenticationMechanisms used as part of the Server Parameters.

since I’m using the latest node driver, it tries the default SHA-256 authentication but since Atlas does not support it, it then falls back to SHA-1?

Atlas does not yet support the SCRAM-SHA-256 authentication mechanism. Please refer to the MongoDB Node.JS driver Authentication Mechanisms documentation for more information regarding the DEFAULT auth mechanism.

I would also go over some details of one of my replies to another post noted in the BadValue: SCRAM-SHA-256 authentication is disabled post as well which you may find useful.

Regards,
Jason

1 Like

Hey @Jason_Tran

Thanks for your replay. My question was rather regarding my concern that Atlas is not supporting it, when the community edition does (also, the drivers defaults to SHA256). From a security perspective, shouldn’t it be a concern?

MongoDB Atlas is secure by default and complies with multiple security certification standards and is regularly audited for compliance.

As mentioned in the linked post in my previous reply, MongoDB authentication protocols do not use SHA-1 as a raw hash function for passwords or digital signatures, but rather as an HMAC construction in, e.g., SASL SCRAM-SHA-1. While many common uses of SHA-1 have been deprecated or sunset by standards organizations, these do not typically apply to HMAC functions. As of February, 2022, there are no known preimage attacks against HMAC-SHA-1 generally or SCRAM-SHA-1 specifically, over a secure TLS network connection (which is required on Atlas). Current controlling NIST guidance confirms this:

“For non-digital-signature applications, the use of SHA-1 is acceptable for applications that do not require collision resistance” (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf#page23)

“[A]gencies may use SHA-1 for the following applications: […] generating and verifying hash-based message authentication codes (HMACs), key derivation functions (KDFs), and random bit/number generation.” (Hash Functions | CSRC)

2 Likes