Configuring MongoDB-CR Authentication as Default on MongoDB 3.x

2 min read
Configuring MongoDB-CR Authentication as Default on MongoDB 3.x


All users created in MongoDB 3.x are created with SCRAM-SHA1 which breaks backward compatibility with tools that expect MongoDB-CR. There’s a laundry list of tools and drivers that have not yet been updated to support SCRAM-SHA1, such as Robomongo and MongoVUE.

In some cases, even if the newer version of the driver/ORM is available, you might not be ready to upgrade your driver due to some compatibility issues.

MongoDB supports two authentication methods:

  1. MongoDB- CR (Challenge-response)
    Mechanism to authenticate users with passwords. Default authentication mechanism until 2.6.x. Refer to the documentation for more details.
    This is an IETF standard for challenge response mechanisms for authenticating users with passwords. This is the newer and more secure system. It is not backward compatible with MongoDB-CR. Refer to the documentation for more details.

MongoDB CR is the legacy authentication system. MongoDB 3.X switched the default user authentication system to SCRAM-SHA1. So, any new users created in the system are SCRAM-SHA1 users.  Since SCRAM-SHA1 is not backwards compatible it breaks auth with all users using the MONGODB-CR mechasim.

However, you might want to use the new WiredTiger storage engine that’s available in MongoDB 3.x.  Here are the steps to configure MONGODB-CR as the default authentication mechanism in MongoDB 3.x, assuming you’re running a replica set:

  1. Create a 3.x MongoDB cluster.
  2. Stop all nodes of the replica set other than the primary.
  3. Disable auth on the primary and restart the node. I did this by commenting out the following entries in the MongoDB conf file and restarting the server:
    #  authorization: enabled
    #  keyFile: /var/lib/mongo/rskey
    #  replSetName: RS-rsname-0
  4. Connect to the primary and change the schema version:
    use admin;
    var schema = db.system.version.findOne({"_id" : "authSchema"});
    schema.currentVersion = 3;
  5. Undo changes to the mongodb.conf file in step 3 above and restart MongoDB.
  6. Restart MongoDB on the other nodes of the replica set and ensure that the replica set is healthy.Once this is done, all the users created on the system will be MongoDB-CR users. You can validate this by executing the following command:

Note, however, this should only be a temporary workaround. The more secure longer term fix is to upgrade your MongoDB server to use the SCRAM-SHA1 model. Once you are ready to upgrade, run the following script to upgrade the schema version of your users to SCRAM-SHA1:



For more information, please visit Connect with ScaleGrid on LinkedIn, X, Facebook, and YouTube.
Table of Contents

Stay Ahead with ScaleGrid Insights

Dive into the world of database management with our monthly newsletter. Get expert tips, in-depth articles, and the latest news, directly to your inbox.

Related Posts

high available cluster

High Availability Clustering & Why You Need It

High availability clustering keeps your IT systems running without interruptions, even amid failures. This guide details high availability clustering, its...


What’s New at ScaleGrid – July 2024

ScaleGrid is excited to announce our latest platform updates, showcasing our unwavering commitment to security, usability, and performance. Our recent...

database backend

What is RabbitMQ Used For

RabbitMQ is an open-source message broker facilitating the connection between different applications within a distributed setup. It is widely utilized...


Add Headline Here