This version of the manual is no longer supported. Learn more about upgrading your version of MongoDB.

Configure MongoDB with Kerberos Authentication on Windows

New in version 2.6.


MongoDB Enterprise supports authentication using a Kerberos service. Kerberos is an industry standard authentication protocol for large client/server system. Kerberos allows MongoDB and applications to take advantage of existing authentication infrastructure and processes.


Setting up and configuring a Kerberos deployment is beyond the scope of this document. This tutorial assumes have configured a Kerberos service principal for each exe and exe instance.



Start mongod.exe without Kerberos.

For the initial addition of Kerberos users, start exe without Kerberos support.

If a Kerberos user is already in MongoDB and has the privileges required to create a user, you can start exe with Kerberos support.


Connect to mongod.

Connect via the exe shell to the exe instance. If exe has --auth enabled, ensure you connect with the privileges required to create a user.


Add Kerberos Principal(s) to MongoDB.

Add a Kerberos principal, <username>@<KERBEROS REALM>, to MongoDB in the $external database. Specify the Kerberos realm in ALL UPPERCASE. The $external database allows exe to consult an external source (e.g. Kerberos) to authenticate. To specify the user’s privileges, assign roles to the user.

The following example adds the Kerberos principal reportingapp@EXAMPLE.NET with read-only access to the records database:

use $external
     user: "reportingapp@EXAMPLE.NET",
     roles: [ { role: "read", db: "records" } ]

Add additional principals as needed. For every user you want to authenticate using Kerberos, you must create a corresponding user in MongoDB. For more information about creating and managing users, see User Management Commands.


Start mongod.exe with Kerberos support.

You must start exe as the service principal account.

To start exe with Kerberos support, set the exe parameter authenticationMechanisms to GSSAPI:

mongod.exe --setParameter authenticationMechanisms=GSSAPI <additional mongod.exe options>

For example, the following starts a standalone exe instance with Kerberos support:

mongod.exe --auth --setParameter authenticationMechanisms=GSSAPI

Modify or include additional exe options as required for your configuration.


Connect mongo.exe shell to mongod.exe and authenticate.

Connect the exe shell client as the Kerberos principal application@EXAMPLE.NET.

You can connect and authenticate from the command line.

Using exe:

mongo.exe --host --authenticationMechanism=GSSAPI --authenticationDatabase=$external --username reportingapp@EXAMPLE.NET

Using Windows PowerShell:

mongo.exe --host --authenticationMechanism=GSSAPI --authenticationDatabase='$external' --username reportingapp@EXAMPLE.NET

If you are connecting to a system whose hostname matches the Kerberos name, ensure that you specify the fully qualified domain name (FQDN) for the --host option, rather than an IP address or unqualified hostname.

If you are connecting to a system whose hostname does not match the Kerberos name, use --gssapiHostName to specify the Kerberos FQDN that it responds to.

Alternatively, you can first connect exe to the exe, and then from the exe shell, use the db.auth() method to authenticate in the $external database.

use $external
db.auth( { mechanism: "GSSAPI", user: "reportingapp@EXAMPLE.NET" } )

Additional Considerations

Configure mongos.exe for Kerberos

To start exe with Kerberos support, set the exe parameter authenticationMechanisms to GSSAPI. You must start exe as the service principal account.:

mongos.exe --setParameter authenticationMechanisms=GSSAPI <additional mongos options>

For example, the following starts a mongos instance with Kerberos support:

mongos.exe --setParameter authenticationMechanisms=GSSAPI --configdb,, --keyFile C:\<path>\mongos.keyfile

Modify or include any additional exe options as required for your configuration. For example, instead of using --keyFile for internal authentication of sharded cluster members, you can use x.509 member authentication instead.

Assign Service Principal Name to MongoDB Windows Service

Use setspn.exe to assign the service principal name (SPN) to the account running the mongod.exe and the mongos.exe service:

setspn.exe -A <service>/<fully qualified domain name> <service account name>

For example, if exe runs as a service named mongodb on with the service account name mongodtest, assign the SPN as follows:

setspn.exe -A mongodb/ mongodtest

Incorporate Additional Authentication Mechanisms

Kerberos authentication (GSSAPI (Kerberos)) can work alongside MongoDB’s challenge/response authentication mechanisms (SCRAM-SHA-1 and MONGODB-CR), MongoDB’s authentication mechanism for LDAP (PLAIN (LDAP SASL)), and MongoDB’s authentication mechanism for x.509 ( MONGODB-X509). Specify the mechanisms as follows:

--setParameter authenticationMechanisms=GSSAPI,SCRAM-SHA-1

Only add the other mechanisms if in use. This parameter setting does not affect MongoDB’s internal authentication of cluster members.