Unable to authenticate using kerberos

Hello,

I have the following mongdb setup.

mongodb enterprise edition v4.2 running on Redhat Linux 7.
Our KDC is on windows and we have registered the SPN as necessary.

We are trying to setup kerberos authentication to connect to mongodb. I followed all the required steps but when I try to execute db.auth({…}) I get the following error in the mongo logs. Can you please help what I could be missing.

2021-06-23T12:15:23.075-0500 E  ACCESS   [conn7] GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Request ticket server mongodb/lnadoo40004.ntrs.com@CITADELSOLUTIONS.COM kvno 6 found in keytab but not with enctype rc4-hmac)
2021-06-23T12:15:23.079-0500 E  ACCESS   [conn7] Was not able to acquire principal id from Cyrus SASL: -6
2021-06-23T12:15:23.079-0500 I  ACCESS   [conn7] SASL GSSAPI authentication failed for  on $external from client 10.41.27.127:44533 ; AuthenticationFailed: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
2021-06-23T12:15:23.079-0500 E  ACCESS   [conn7] Was not able to acquire principal id from Cyrus SASL: -6
2021-06-23T12:15:23.128-0500 E  ACCESS   [conn7] GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Request ticket server mongodb/lnadoo40004.ntrs.com@CITADELSOLUTIONS.COM kvno 6 found in keytab but not with enctype rc4-hmac)
2021-06-23T12:15:23.132-0500 E  ACCESS   [conn7] Was not able to acquire principal id from Cyrus SASL: -6
2021-06-23T12:15:23.132-0500 I  ACCESS   [conn7] SASL GSSAPI authentication failed for  on $external from client 10.41.27.127:44533 ; AuthenticationFailed: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
2021-06-23T12:15:23.132-0500 E  ACCESS   [conn7] Was not able to acquire principal id from Cyrus SASL: -6

Thanks
Ranjith

Hi,

I am not sure about your exact Windows setup, but on my Windows Server 2019 environment, I have to do these 2 things for the MongoDB service account (I named it svc_mongodb):

  1. I needed to make sure that when running ktpass.exe, I explicitly specified the kvno parameter to 2.
    ktpass /out mongodb-svr.keytab /princ mongodb/mongodb-svr.mydomain.com@MYDOMAIN.COM /mapuser svc_mongodb /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /kvno 2 /pass SomePassword

  2. I needed to check both AES encryption options for the user.

Of course, all of this is assuming that the SPN is registered correctly.
Just use setspn -Q <the_SPN_definition> to verify whether the registered SPN is already correct.

Also, it looks like your server’s FQDN has a different domain than the Kerberos realm (i.e., ntrs.com vs CITADELSOLUTIONS.COM).
Just make sure that it is the correct configuration for your environment.

Hope that helps.