Docs Menu
Docs Home
/ / /
C#/.NET
/

Enterprise Authentication Mechanisms

On this page

  • Overview
  • Authenticate with GSSAPI/Kerberos
  • Additional Properties
  • Authenticate with LDAP (PLAIN)
  • API Documentation

In this guide, you can learn how to authenticate with MongoDB using the authentication mechanisms available only in the MongoDB Enterprise Edition. Authentication mechanisms are processes by which the driver and server confirm the identity of a client to ensure security before connecting.

You can use the following authentication mechanisms with the latest version of MongoDB Enterprise Edition.

To authenticate using another mechanism, see the Authentication Mechanisms fundamentals page. For more information on establishing a connection to your MongoDB cluster, see the Connection Guide.

You can specify your authentication mechanism and credentials when connecting to MongoDB using either of the following methods:

  • A connection string, also known as a connection URI, which is a string that tells the driver how to connect to a MongoDB deployment and how to behave while connected.

  • A factory method for the supported authentication mechanism, contained in the MongoCredential class.

The Generic Security Services API (GSSAPI) authentication mechanism allows the user to authenticate to a Kerberos service using the user's principal name.

The following examples specify the authentication mechanism using the following placeholders:

  • <username>: Your URL-encoded principal name; for example "username%40REALM.ME"

  • <password>: Your Kerberos user's password

  • <hostname>: The network address of your MongoDB server, accessible by your client

Select the Connection String or MongoCredential tab to see the corresponding syntax for specifying the GSSAPI/Kerberos authentication mechanism:

var mongoClient = new MongoClient("mongodb://<username>:<password>@<hostname>/?authMechanism=GSSAPI");
var credential = MongoCredential.CreateGssapiCredential("<username>", "<password>");
var settings = MongoClientSettings.FromConnectionString("<connection string>");
settings.Credential = credential;
var mongoClient = new MongoClient(settings);

Tip

Omitting the Password

You can omit the password if one of the following are true:

  • On Windows, the process owner running the application is the same as the user needing authentication.

  • On Linux, the user has initialized their keytab via kinit username@REALM.COM.

You can specify additional properties with your authentication mechanism using the connection string or a factory method in the MongoCredential class.

The following example shows how to use the DNS server to retrieve the fully qualified domain name of the host:

var mongoClient = new MongoClient("mongodb://<db_username>:<db_password>@<hostname>/?authMechanism=GSSAPI&authMechanismProperties=CANONICALIZE_HOSTNAME:true");
var credential = MongoCredential.CreateGssapiCredential("<db_username>", "<db_passwordpassword>");
credential = credential.WithMechanismProperty("CANONICALIZE_HOST_NAME", "true");
var settings = MongoClientSettings.FromConnectionString("<connection string>");
settings.Credential = credential;
var mongoClient = new MongoClient(settings);

The following example shows how to specify the user's realm when it is different from the service's realm:

var mongoClient = new MongoClient("mongodb://<db_username>:<db_password>@<hostname>/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_REALM:<user's realm>");
var credential = MongoCredential.CreateGssapiCredential("<db_username>", "<db_password>");
credential = credential.WithMechanismProperty("SERVICE_REALM", "<user's realm>");
var settings = MongoClientSettings.FromConnectionString("<connection string>");
settings.Credential = credential;
var mongoClient = new MongoClient(settings);

The following example shows how to specify the service name when it is not the default mongodb:

var mongoClient = new MongoClient("mongodb://<db_username>:<db_password>@<hostname>/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:<service name>");
var credential = MongoCredential.CreateGssapiCredential("<db_username>", "<db_password>");
credential = credential.WithMechanismProperty("SERVICE_NAME", "<service name>");
var settings = MongoClientSettings.FromConnectionString("<connection string>");
settings.Credential = credential;
var mongoClient = new MongoClient(settings);

The following example shows how to specify multiple authentication mechanism properties:

var mongoClient = new MongoClient("mongodb://<db_username>:<db_password>@<hostname>/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:<service name>,SERVICE_REALM:<user's realm>");
var credential = MongoCredential.CreateGssapiCredential("<db_username>", "<db_password>");
credential = credential.WithMechanismProperty("SERVICE_REALM", "<user's realm>")
.WithMechanismProperty("SERVICE_NAME", "<service name>");
var settings = MongoClientSettings.FromConnectionString("<connection string>");
settings.Credential = credential;
var mongoClient = new MongoClient(settings);

You can authenticate to a Lightweight Directory Access Protocol (LDAP) server using your directory-server username and password.

The following examples specify the authentication mechanism using the following placeholders:

  • <username>: Your LDAP username

  • <password>: Your LDAP password

  • <hostname>: The network address of your MongoDB server, accessible by your client

  • <authenticationDb>: The MongoDB database that contains your user's authentication

Select the Connection String or MongoCredential tab to see the corresponding syntax for specifying the LDAP authentication mechanism:

var mongoClient = new MongoClient("mongodb://<username>:<password>@<hostname>/?authSource=<authenticationDb>&authMechanism=PLAIN");
var credential = MongoCredential.CreatePlainCredential("<authenticationDb>", "<username>", "<password>");
var settings = MongoClientSettings.FromConnectionString("<connection string>");
settings.Credential = credential;
var mongoClient = new MongoClient(settings);

Tip

The method refers to PLAIN instead of LDAP since it authenticates using the PLAIN Simple Authentication and Security Layer (SASL) defined in RFC-4616.

To learn more about any of the methods or types discussed in this guide, see the following API Documentation:

Back

Authentication Mechanisms