Docs Menu
Docs Home
/
Languages
/
C#/.NET
/
C#/.NET
/
Fundamentals
/
Authentication

Kerberos (GSSAPI)

On this page

  • Overview
  • Code Placeholders
  • Using GSSAPI Authentication in Your Application
  • Additional Properties
  • API Documentation

Overview

The Generic Security Services API (GSSAPI) authentication mechanism allows you to use your principal name to authenticate to a Kerberos service. You can use this mechanism only when authenticating to MongoDB Enterprise Advanced.

Code Placeholders

The code examples on this page use the following placeholders:

  • <username>: Your URL-encoded principal name. For example: "username%40REALM.ME"

  • <password>: Your Kerberos user's password.

  • <hostname>: The network address of your MongoDB deployment.

  • <port>: The port number of your MongoDB deployment. If you omit this parameter, the driver uses the default port number (27017).

To use the code examples on this page, replace these placeholders with your own values.

Using GSSAPI Authentication in Your Application

You can specify the GSSAPI authentication mechanism and supply your Kerberos credentials either by using a MongoCredential object or as part of the connection string. Select the Connection String or MongoCredential tab to see the corresponding syntax:

var mongoClient = new MongoClient(
   "mongodb://<username>:<password>@<hostname>[:<port>]/?authMechanism=GSSAPI");
var credential = MongoCredential.CreateGssapiCredential("<username>", "<password>");
var settings = MongoClientSettings.FromConnectionString("<connection string>");
settings.Credential = credential;
var mongoClient = new MongoClient(settings);

Tip

Omitting the Password

You can omit the password parameter if either of the following is true:

  • On Windows, the process owner running the application is the same as the user needing authentication.

  • On Linux, the user has initialized their keytab via kinit username@REALM.COM.

Additional Properties

You can include the following GSSAPI configuration options in either your connection string or your MongoCredential object.

Fully Qualified Domain Name

The following example shows how to use the DNS server to retrieve the fully qualified domain name of the host:

var mongoClient = new MongoClient(
   "mongodb://<username>:<password>@<hostname>[:<port>]/?authMechanism=GSSAPI&" +
   "authMechanismProperties=CANONICALIZE_HOSTNAME:true");
var credential = MongoCredential.CreateGssapiCredential("<username>", "<password>");
credential = credential.WithMechanismProperty("CANONICALIZE_HOST_NAME", "true");
var settings = MongoClientSettings.FromConnectionString("<connection string>");
settings.Credential = credential;
var mongoClient = new MongoClient(settings);

Realm

The following example shows how to specify the user's realm when it is different from the service's realm. Replace the <user's realm> placeholder with the realm of the Kerberos user.

var mongoClient = new MongoClient(
   "mongodb://<username>:<password>@<hostname>[:<port>]/?authMechanism=GSSAPI&" +
   "authMechanismProperties=SERVICE_REALM:<user's realm>");
var credential = MongoCredential.CreateGssapiCredential("<username>", "<password>");
credential = credential.WithMechanismProperty("SERVICE_REALM", "<user's realm>");
var settings = MongoClientSettings.FromConnectionString("<connection string>");
settings.Credential = credential;
var mongoClient = new MongoClient(settings);

Service Name

The following example shows how to specify the service name when it is not the default mongodb. Replace the <service name> placeholder with the name of the service.

var mongoClient = new MongoClient(
   "mongodb://<username>:<password>@<hostname>[:<port>]/?authMechanism=GSSAPI&" +
   "authMechanismProperties=SERVICE_NAME:<service name>");
var credential = MongoCredential.CreateGssapiCredential("<username>", "<password>");
credential = credential.WithMechanismProperty("SERVICE_NAME", "<service name>");
var settings = MongoClientSettings.FromConnectionString("<connection string>");
settings.Credential = credential;
var mongoClient = new MongoClient(settings);

Multiple Properties

The following example shows how to specify multiple authentication mechanism properties:

var mongoClient = new MongoClient(
   "mongodb://<username>:<password>@<hostname>[:<port>]/?authMechanism=GSSAPI&" +
   "authMechanismProperties=SERVICE_NAME:<service name>,SERVICE_REALM:<user's realm>");
var credential = MongoCredential.CreateGssapiCredential("<username>", "<password>");
credential = credential
   .WithMechanismProperty("SERVICE_REALM", "<user's realm>")
   .WithMechanismProperty("SERVICE_NAME", "<service name>");
var settings = MongoClientSettings.FromConnectionString("<connection string>");
settings.Credential = credential;
var mongoClient = new MongoClient(settings);

API Documentation

To learn more about any of the methods or types discussed on this page, see the following API documentation:

Back

LDAP (PLAIN)

Next

Aggregation