Recently I had to configure Kerberos authentication for MongoDB in a Windows environment. The configuration in this case:
- MongoDB 3.0
- On Windows 2012 R2 VM
- Active Directory as KDC (Key Distribution Center)
On the website of MongoDB (here) you’ll find a proper manual how to configure this. So you can follow this manual to configure it. However there is a small catch which took me quite a while to troubleshoot.
Because I was planning to configure a replicaSet on the same VM for testing purposes I registered the MongoDB instances as services in Windows. To make sure I could distinguish the MongoDB services I gave the services all a different name. So in my case:
- Servicename: MongoDB_ServiceName_rs0
- Displayname: MongoDB ServiceName rs0
Where I varied the number at the end. I asked the Active Directory team to register the SPN accordingly, like mentioned on the MongoDB website. So I gave them the following command:
setspn.exe -A MongoDB_ServiceName_rs0/SERVERNAME.domain.corp DOMAIN\service_account
However after having registered the SPN in this way, I still wasn’t able to use Kerberos authentication. When trying to authenticate within the MongoDB instance, I received the following error:
Error: SASL(-1): generic failure: SSPI: InitializeSecurityContext: The specified target is unknown or unreachable
After quite a lot of troubleshooting we eventually figured out by capturing the traffic with WireShark that the SPN was not probably named and had to be mongodb instead of MongoDB_ServiceName_rs0. So after registering the SPN in the right way I was able to authenticate with kerberos. For registering it properly use the following command:
setspn.exe -A mongodb/servername.domain.corp domain\service_account
So make sure you register the SPN in the right way.