Docs Menu

Docs HomeMongoDB Compass

Authentication Connection Tab

On this page

  • Procedure

The Authentication tab allows you to connect to deployments that require authentication. To learn about authentication mechanisms within MongoDB, see Authentication Mechanisms.

New Advanced Connection Options

Select your authentication method from the following options:

Provide the following information:

  • Username

  • Password

  • (Optional) Authentication Database

  • Authentication Mechancism:

    • Default

      The Default setting selects the first authentication mechanism supported by the server according to an order of preference.

      With the Default setting, MongoDB tries to authenticate using the following mechanisms in the order they are listed:

      1. SCRAM-SHA-256

      2. SCRAM-SHA-1

      3. MONGODB-CR

    • SCRAM-SHA-1

    • SCRAM-SHA-256

Select X.509 if the deployment uses X.509 as its authentication mechanism.


X.509 Authentication requires a client certificate. To enable TLS and add a client certificate, see the TLS / SSL tab in Compass.

Select Kerberos if the deployment uses Kerberos as its authentication mechanism.

Provide the following information:

Every participant in the authenticated communication is known as a "principal", and every principal must have a unique name.
(Optional) Service Name
Every MongoDB mongod and mongos instance (or exe or exe on Windows) must have an associated service name. The default is mongodb.
(Optional) Canonicalize Host Name
Kerberos uses the canonicalized form of the host name (cname) when constructing the principal for MongoDB Compass.
(Optional) Service Realm

The service realm is the domain over which a Kerberos authentication server has the authority to authenticate a user.

If you choose to Canonicalize Host Name, you can specify one of the following options:

The driver does a cname lookup on the kerberos hostname.
Forward and Reverse
Performs a forward DNS lookup and then a reverse lookup on that value to canonicalize the hostname.

For more information on principal name canonicalization in Kerberos, see this RFC document.

(Optional) Provide password directly
Used to verify your identity.

When you authenticate with Kerberos on Windows, the Principal you specify must match the principal of the security context that Compass is running. Normally, this is the logged-in user who is running Compass.

To authenticate as a different Kerberos user, run MongoDB Compass as the chosen user and specify the Principal for that user. To run MongoDB Compass as a different user, either:

  • Hold Shift and right-click the MongoDB Compass program icon to select Run as a different user.

  • Use the runas command-line tool. For example, the following command runs MongoDB Compass as a user named admin:

    runas /profile /user:mymachine\admin <path to MongoDB Compass>

After you start MongoDB Compass as the chosen user, to authenticate against your Kerberos-enabled MongoDB deployment, specify the Principal for the corresponding user.

Select LDAP if the deployment uses LDAP as its authentication mechanism.

Provide the following information:

  • Username

  • Password

Select AWS IAM if the deployment uses AWS IAM as its authentication mechanism.

The following fields are optional as they can be defined on your platform using their respective AWS IAM environment variables. MongoDB Compass will use these environment variable values to authenticate; you do not need to specify them in the connection string.

  • (Optional) AWS Access Key Id

  • (Optional) AWS Secret Access Key

  • (Optional) AWS Session Token



See also:

To disconnect from your deployment, see Disconnect from MongoDB.

←  General Connection TabTLS / SSL Connection Tab →

On this page

Share Feedback
© 2023 MongoDB, Inc.


  • Careers
  • Investor Relations
  • Legal Notices
  • Privacy Notices
  • Security Information
  • Trust Center
© 2023 MongoDB, Inc.