MongoDB and Kerberos authentication

Recently I had to configure Kerberos authentication for MongoDB in a Windows environment. The configuration in this case:

  • MongoDB 3.0
  • On Windows 2012 R2 VM
  • Active Directory as KDC (Key Distribution Center)

On the website of MongoDB (here) you’ll find a proper manual how to configure this. So you can follow this manual to configure it. However there is a small catch which took me quite a while to troubleshoot.

Because I was planning to configure a replicaSet on the same VM for testing purposes I registered the MongoDB instances as services in Windows. To make sure I could distinguish the MongoDB services I gave the services all a different name. So in my case:

  • Servicename: MongoDB_ServiceName_rs0
  • Displayname: MongoDB ServiceName rs0

Where I varied the number at the end. I asked the Active Directory team to register the SPN accordingly, like mentioned on the MongoDB website. So I gave them the following command:

setspn.exe -A MongoDB_ServiceName_rs0/SERVERNAME.domain.corp DOMAIN\service_account

However after having registered the SPN in this way, I still wasn’t able to use Kerberos authentication. When trying to authenticate within the MongoDB instance, I received the following error:

Error: SASL(-1): generic failure: SSPI: InitializeSecurityContext: The specified target is unknown or unreachable

After quite a lot of troubleshooting we eventually figured out by capturing the traffic with WireShark that the SPN was not probably named and had to be mongodb instead of MongoDB_ServiceName_rs0. So after registering the SPN in the right way I was able to authenticate with kerberos. For registering it properly use the following command:

setspn.exe -A mongodb/servername.domain.corp domain\service_account

So make sure you register the SPN in the right way.