KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. while connection to mongodb with GSSAPI

Question

I have setup Active directory with kerberos authentication on windows server 2012 r2, set mongodb server on a 2nd machine. Started mongodb with GSSAPI authentication, Now if I try to connect to mongodb using the follwong url

mongo.exe --host Mongo32Test.ihubtest.com.com --authenticationMechanism=GSSAPI --authenticationDatabase=$external -u mongoService@ihubtest.com --verbose

I am getting the following message.

Error: SASL(-1): generic failure: SSPI: InitializeSecurityContext: The specified target is unknown or unreachable

I have installed wireshark and the packet contains this message

"KRB5 167 KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN"

Searching around I figured that it is related to service principle name
mongoService@ihubtest.com is a domain user and is part of $external database in mongodb.

verified the service principle name, it looks fine.

C:>setspn -l mongoService Registered ServicePrincipalNames for CN=mongo Service,CN=Users,DC=ihubtest,DC=com:
mongodb/Mongo32test.ihubtest.com@IHUBTEST.COM

tried the troubleshooting steps mentioned in this page, https://docs.mongodb.com/manual/tutorial/troubleshoot-kerberos/, am I missing something on Active directory configuration ?

score 1 · Answer 1 · answered Oct 27 '16 at 09:42

1

if not yet looked into this ticket MongoDB Team has a closed ticket with some steps

https://jira.mongodb.org/browse/SERVER-13885

answered Oct 27 '16 at 09:42

Ramu Palanki

11
1

score 0 · Answer 2 · answered Oct 25 '16 at 08:27

0

I believe in you misquoted your hostname as "Mongo32Test.ihubtest.com.com" instead of "Mongo32Test.ihubtest.com".

Please verify whether the provided hostname is correct or not

answered Oct 25 '16 at 08:27

pavanbvns

26
1
3

KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. while connection to mongodb with GSSAPI

2 Answers2