How to connect to mongodb service running with kerberos authentciation using mongo-java-driver

Question

I'm not much aware of kerberos.Kerberos server is running on an ec2 instance,on another ec2 instance,installed kerberos client and mongodb 6.0.2 enterprise and mongo shell 1.10.6.I created user principal and service principal,exported these principals to keytab files on kerberos server.Copied these keytab files on my kerberos client instance,using kinit,able to start the mongodb service with kerberos auth.Able to connect from mongo shell.Below are the commands used:

sudo kadmin.local -q "add_principal -randkey [email protected]"
sudo kadmin.local -q "xst -kt /tmp/admn.user.keytab [email protected]"
sudo kadmin.local -q "add_principal -randkey mongodb/ip-***[email protected]"
sudo kadmin.local -q "xst -kt /tmp/mongokb.service.keytab mongodb/ip-***[email protected]"
kinit -kt /tmp/admn.user.keytab admn

service running with the below command

env KRB5_KTNAME=/tmp/mongokb.service.keytab mongod --auth --setParameter authenticationMechanisms=GSSAPI --bind_ip_all

shell

mongosh --host ip-**.compute.internal --authenticationMechanism=GSSAPI --authenticationDatabase='$external' --username [email protected]

My Java program:

System.setProperty("java.security.krb5.realm","KAFKA.SECURE");
        System.setProperty("java.security.krb5.kdc",
         "ec2-***.compute.amazonaws.com");
         System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
         System.setProperty("sun.security.krb5.debug","true");
        System.setProperty("java.security.auth.login.config","/tmp/gss-jaas.conf");
         System.setProperty("java.security.krb5.conf","/tmp/krb5.conf");
        MongoCredential credential = MongoCredential.createGSSAPICredential("[email protected]");
        com.mongodb.client.MongoClient mongoClient = MongoClients.create(
                MongoClientSettings.builder()
                        .applyToClusterSettings(builder -> 
                                builder.hosts(Arrays.asList(new ServerAddress("ip-***", 27017))))
                        .credential(credential)
                        .build());
    
        MongoDatabase db=mongoClient.getDatabase("admin");
        System.out.print("Db Name:"+db.getName());
        final Bson ping = new BasicDBObject("dbstats", 1);      
        db.runCommand(ping);

krb5.conf file

includedir D:/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    ticket_lifetime = 24h
    renew_lifetime = 7d    
    default_realm = KAFKA.SECURE
    kdc_timesync = 1
[realms]
 KAFKA.SECURE = {
      admin_server = ec2-**.compute.amazonaws.com
      kdc  = ec2-**.compute.amazonaws.com
   }
    
    

gss-jass.conf

com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=false
principal="mongodb/ip-***[email protected]"
doNotPrompt=true 
storeKey=true
keyTab="D:/mongokb.service.keytab" 
debug=true;};

I'm getting error as

 GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)

Log file

 Debug is  true storeKey false useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is D:/mongokb.service.keytab refreshKrb5Config is false principal is mongodb/ip-**[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
    Looking for keys for: mongodb/ip-**[email protected]
    Found unsupported keytype (25) for mongodb/ip-**[email protected]
    Found unsupported keytype (26) for mongodb/ip-**[email protected]
    Added key: 23version: 3
    Added key: 17version: 3
    Added key: 18version: 3
    Looking for keys for: mongodb/ip-***[email protected]
    Found unsupported keytype (25) for mongodb/ip-**[email protected]
    Found unsupported keytype (26) for mongodb/ip-**[email protected]
    Added key: 23version: 3
    Added key: 17version: 3
    Added key: 18version: 3
    Using builtin default etypes for default_tkt_enctypes
    default etypes for default_tkt_enctypes: 18 17 20 19 16 23.
    >>> KrbAsReq creating message
    >>> KrbKdcReq send: kdc=ec2-**.compute.amazonaws.com UDP:88, timeout=30000, number of retries =3, #bytes=208
    >>> KDCCommunication: kdc=ec2-**.amazonaws.com UDP:88, timeout=30000,Attempt =1, #bytes=208
    >>> KrbKdcReq send: #bytes read=840
    >>> KdcAccessibility: remove ec2-***.compute.amazonaws.com
    Looking for keys for: mongodb/ip-***[email protected]
    Found unsupported keytype (25) for mongodb/ip-**[email protected]
    Found unsupported keytype (26) for mongodb/ip-**[email protected]
    Added key: 23version: 3
    Added key: 17version: 3
    Added key: 18version: 3
    >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
    >>> KrbAsRep cons in KrbAsReq.getReply mongodb/ip-***.compute.internal
    principal is mongodb/ip-**[email protected]
    Will use keytab
    Commit Succeeded 
    
    Found ticket for mongodb/ip-**[email protected] to go to krbtgt/[email protected] expiring on Thu Nov 09 16:05:19 IST 2023

If I add an entry of service principal to admn.user.keytab file as below:

add_entry -password -p mongodb/ip**.ap-south-1.compute.internal -k 3 -e aes256-cts-hmac-sha1-96
wkt /tmp/admn.user.keytab

And,if I give in gass.jass conf file keytab as /tmp/admn.user.keytab.I get below exception:

Caused by: KrbException: Checksum failed
        at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)

can anyone please help what is the keytab file to be used to connect to mongodb service running with kerberos auth?