GSSAPI Authentication failing on LINUX RHEL7 with .NET Core 2.1

I am currently running a dockerized c# .NET Core 2.1 application on Linux.

My application connects to Mongo on windows using CreateGssapiCredential and works as expected.

When I try to run the same app in linux it fails with the error “An exception occurred while opening a connection to the server.”. Stack trace -

{
        "ClassName": "System.DllNotFoundException",
        "Message": "Unable to load shared library 'security.dll' or one of its dependencies. In order to help diagnose loading problems, consider setting the LD_DEBUG environment variable: libsecurity.dll: cannot open shared object file: No such file or directory",
        "Data": null,
        "InnerException": null,
        "HelpURL": null,
        "StackTraceString": "   at MongoDB.Driver.Core.Authentication.Sspi.NativeMethods.AcquireCredentialsHandle(String principal, String package, SecurityCredentialUse credentialUsage, IntPtr logonId, IntPtr identity, Int32 keyCallback, IntPtr keyArgument, SspiHandle& credentialHandle, Int64& timestamp)\n   at MongoDB.Driver.Core.Authentication.Sspi.SecurityCredential.Acquire(SspiPackage package, String username, SecureString password)\n   at MongoDB.Driver.Core.Authentication.GssapiAuthenticator.FirstStep..ctor(String serviceName, String hostName, String realm, String username, SecureString password, SaslConversation conversation)\n   at MongoDB.Driver.Core.Authentication.GssapiAuthenticator.GssapiMechanism.Initialize(IConnection connection, SaslConversation conversation, ConnectionDescription description)\n   at MongoDB.Driver.Core.Authentication.SaslAuthenticator.Authenticate(IConnection connection, ConnectionDescription description, CancellationToken cancellationToken)\n   at MongoDB.Driver.Core.Authentication.AuthenticationHelper.Authenticate(IConnection connection, ConnectionDescription description, IReadOnlyList`1 authenticators, CancellationToken cancellationToken)\n   at MongoDB.Driver.Core.Connections.ConnectionInitializer.InitializeConnection(IConnection connection, CancellationToken cancellationToken)\n   at MongoDB.Driver.Core.Connections.BinaryConnection.OpenHelper(CancellationToken cancellationToken)",
        "RemoteStackTraceString": null,
        "RemoteStackIndex": 0,
        "ExceptionMethod": null,
        "HResult": -2146233052,
        "Source": "MongoDB.Driver.Core",
        "WatsonBuckets": null,
        "TypeLoadClassName": null,
        "TypeLoadAssemblyName": null,
        "TypeLoadMessageArg": null,
        "TypeLoadResourceID": 0
    }

I followed the documentation here for linux - https://mongodb-documentation.readthedocs.io/en/latest/ecosystem/tutorial/authenticate-with-csharp-driver.html#linux-systems&gsc.tab=0

and also the GSSAPI/Kerberos documentation here - https://github.com/mongodb/mongo-csharp-driver/blob/master/Docs/reference/content/reference/driver/authentication.md

This is the code that sets the connection -

var settings = new MongoClientSettings
            {
                Credential = MongoCredential.CreateGssapiCredential(test@testdomain.com)
                .WithMechanismProperty("CANONICALIZE_HOST_NAME", canonicalizeHostName),

                Servers = servers.Split(',').Select(s => new MongoServerAddress(s, port))
            };

            Database = new MongoClient(settings).GetDatabase(databaseName);

            _collectionName = collectionName ?? typeof(T).Name;
            _collection = Database.GetCollection<T>(collectionName);

Nothing seems to fix the problem. How do i get this .NET core 2.1 app to work in linux with GSSAPI?

Hi, Girish,

Thank you for reaching out. We recently implemented GSSAPI/Kerberos support on Linux, which is now in our master branch but not in a stable release yet. We will be releasing it shortly in 2.12.0. More information can be found in https://jira.mongodb.org/browse/CSHARP-2474. (Note that the code for CSHARP-2474 did not make it into 2.12.0-beta1, but will be in the GA release.)

Your second documentation reference refers to the unreleased code that will be included in 2.12.0. The first documentation reference is to a very old 1.X-era driver that used libgsasl to implement Kerberos support. The 2.X-era driver implements Kerberos support on Windows using Windows-specific SASL APIs (present in security.dll) that have no direct Linux equivalent. Thus the DLL redirect technique documented in the 1.X documentation will not work with 2.X drivers.

You can either compile the 2.12.0 driver from source using the master branch or wait until we release the 2.12.0 NuGet package, which should happen in the next few weeks.

Sincerely,
James

1 Like

Thank you for the update.

I compiled the 2.12.0 driver from source using master but i am still getting the same error - “Unable to load shared library ‘security.dll’ or one of its dependencies…”.

Is this document https://github.com/mongodb/mongo-csharp-driver/blob/master/Docs/reference/content/reference/driver/authentication.md upto date on what is required to get this working in RHEL?

As mentioned in the document i have libgssapi_krb5.so in the /usr/lib64/ and my dotnet core app is deployed under /app folder. This driver is looking for windows security.dll which does not exist in linux.