/ /

Connect with Kerberos

If you're a MongoDB Enterprise user, you can use Kerberos authentication to connect to your self-managed MongoDB deployments.

To learn more, see Kerberos Authentication on Self-Managed Deployments.

Prerequisites

To use MongoDB with Kerberos, you must have a properly configured Kerberos deployment, configured Kerberos service principals for MongoDB, and a Kerberos user principal added to MongoDB.

For more information, see the following tutorials:

Configuration Options

To connect to a self-managed MongoDB deployment with Kerberos, configure the following options in your MCP server configuration with the required parameters:

CLI Option Name	OS Environment Variable Name	Type	Necessity	Description
`username`	`MDB_MCP_USERNAME`	string	Required	Kerberos principal name to authenticate as.
`authenticationDatabase`	`MDB_MCP_AUTHENTICATION_DATABASE`	string	Required	Set to `$external` for Kerberos authentication.
`authenticationMechanism`	`MDB_MCP_AUTHENTICATION_MECHANISM`	string	Required	Set to `GSSAPI` to use Kerberos authentication.
`gssapiServiceName`	`MDB_MCP_GSSAPI_SERVICE_NAME`	string	Optional	Specify the name of the service using GSSAPI/Kerberos. Only required if the service does not use the default name of `mongodb`.
`gssapiHostName`	`MDB_MCP_GSSAPI_HOST_NAME`	string	Optional	Specify the hostname of a service using GSSAPI/Kerberos. Only required if the hostname of a machine does not match the hostname resolved by DNS.
`sspiHostnameCanonicalization`	`MDB_MCP_SSPI_HOSTNAME_CANONICALIZATION`	string	Optional	Specifies whether or not to use Hostname Canonicalization. Has the same effect as setting the `CANONICALIZE_HOST_NAME:true\|false` key-pair in the `authMechanismProperties` portion of the connection string. Values include `forwardAndReverse` (performs a forward DNS lookup and then a reverse lookup), `forward`, and `none`.

Back

LDAP

x.509