Sitecore with MongoDB Authentication

Securing website data is critical for any business and it is no exception for Sitecore websites. One of the main components for Sitecore is MongoDB which is the core storage for the xDB data. Authentication is the primary way to protect data stored in xDB. This ensures that only authorised users get access.

So what are the steps required to configure MongoDB authentication and how should the Sitecore connection strings be updated?

Note: The steps outlined have been tested with Sitecore XP 8.1 Update 2 and MongoDB 3.2.4

Step 1: Create MongoDB user

use admin;
db.createUser({ user: "sitecore", pwd: "somePassword", roles: [ { role: "root",  db: "admin" } ] });


  • It is important to use strong passwords. A number of websites are available that can generate a strong password for you.
  • Do not panic that the user has root privileges, we will revert the role to more strict after ensuring that Sitecore can authenticate with MongoDB.

Step 2: Test that the user can login in mongoDB

mongo -u "sitecore" -p "somePassword" --authenticationDatabase "admin"

Once logged into MongoDB shell

use admin;
show tables;

Note: If the user is not configured as root the show tables; command will return an error.

Step 3: Update Sitecore Connection Strings

<add connectionString="mongodb://sitecore:somePassword@mongodbServer:27017/analytics?authSource=admin"
    name="analytics" />
<add connectionString="mongodb://sitecore:somePassword@mongodbServer:27017/tracking_live?authSource=admin"
    name="" />
<add connectionString="mongodb://sitecore:somePassword@mongodbServer:27017/tracking_history?authSource=admin"
    name="tracking.history" />
<add connectionString="mongodb://sitecore:somePassword@mongodbServer:27017/tracking_contact?authSource=admin"
    name="" />

A little explanation of the connection string is in order. The first part of the connection string is “user:password@” this instructs the MongoDB driver that the user name and password need to be used to authenticate with the MongoDB server. Next is the standard MongoDB URL that is specified in Sitecore connection string. Finally the URL option authSource is used. This option parameter instructs the MongoDB driver that the database specified in the URL is not an authentication database and it needs to check the authentication with the authSource database.

Step 4: Restart the Application Pool for the Sitecore Site

This step is required to ensure that IIS refreshes the connection strings. In case it is cached.

Step 5: Check Sitecore is running

  1. Open Sitecore website into the browser
  2. Check the log file for any errors related to MongoDB, there shouldn’t be any. If any errors are noticed ensure to fix them up to improve the Sitecore site stability.

Step 6: Check MongoDB for Sitecore Databases

Checking that Sitecore is running is not enough. It is important to check that the MongoDB databases have been created before changing the user permissions.

mongo -u "sitecore" -p "somePassword" --authenticationDatabase "admin"

Once logged into MongoDB shell

show dbs;

Step 7: Revert the MongoDB user role to be more strict

Note: Before proceeding ensure that you have another MongoDB user with root permissions. Otherwise you will encounter issues if trying to perform MongoDB maintenance.

use admin;
db.updateUser( "sitecore", { roles: [ { role: "readWrite", db: "analytics" }, { role: "readWrite", db: "tracking_contact" }, { role: "readWrite", db: "tracking_history" }, { role: "readWrite", db: "tracking_live" } ] } );

In the command above the sitecore user permissions have been changed from "root" to database specific.

Step 8: Recycle the Application Pool and check that all is in order

Repeat steps 4 and 5 to ensure all is working


Never take things for granted on security

When dealing with security and client data privacy, never take things for granted. Whether local, for development, or production and irrespective of whether real data is available or not always protect the data with the tools provided. Remember that part of the site code is always available on the internet, which poses a risk.

Always use strong passwords and avoid standard values

On production environments or any environment with remote access avoid using standard values. Standard values are well known which makes it easy for malicious users to exploit. In relation to this article, besides using the MongoDB authentication; ensure that:

  • MongoDB server port is changed from port 27017
  • The authentication database is changed from admin. Remember to change the connection strings to reflect the new authentication strings
  • Use strong passwords throughout