September 2, 2015

MONGODB-CR: AuthenticationFailed MONGODB-CR credentials missing in the user document

A while ago I was debugging the following error
MONGODB-CR: AuthenticationFailed MONGODB-CR credentials missing in the user document

9 out of 10 times this means the authentication failed because the MongoDB version is not compatible with the authentication method used by the application. As of MongoDB version 3, a new authentication method was introduced, SCRAM-SHA-1. This kicked the challenge-response (MONGODB-CR) mechanism from its default position.

You can do one of the following:

  1. Downgrade the MongoDB version. I would not recommend this, because you will be left out of bugfixes and this may very well be a bad security decision.
  2. Make the authentication method used by the application compatible with new MongoDB 3 SCRAM method (Salted Challenge Response Authentication Mechanism). Read more about this here. Note that MONGODB-CR can not be used any more.
  3. Downgrade the MongoDB authentication schema. This will change the default MongoDB authentication method from SCRAM to MONGODB-CR.

Edit Authentication Schema 

To edit the authentication schema complete the following steps:
  1. Delete all users.
  2. Login as admin
    use admin
    db.system.users.remove({})

    OR
    use DATABASE
    select all users from DB: db.runCommand({usersInfo: 1})
    drop single user: db.runCommand({dropUser: "USER"})
  3. Make sure you are (still) logged in as admin or have commented out de keyfile in the settings on each server and restarted the services.
    use admin
    var schema = db.system.version.findOne({"_id" : "authSchema"})schema.currentVersion = 3db.system.version.save(schema)
  4. Now recreate all deleted users.
It is possible to revert back to SCRAM by using authSchema version 1.

SCRAM-SHA-1 Authentication

While this can help you solve the problem very fast, the SCRAM-SHA-1 method is superior and the MONGODB-CR method will probably be deprecated in the next MongoDB versions.
Why is the SCRAM method so much better? Well here are some arguments:
  1. The MONGODB-CR method is not encrypted. All traffic between MongoDB and the Application can be read by a potential attacker.
  2. Applications using SCRAM-SHA1 will always send salted and hashed (not plaintext) passwords. Important factor regarding security is to use a strong password.