(DOCSP-10513): Run Compass as a different user for Kerb Auth (#263)

(DOCSP-10513): Run Compass as a different user for Kerb Auth

Author: jeff-allen-mongo

source/connect.txt

@@ -43,9 +43,6 @@ Considerations
   :guilabel:`SRV record` or :guilabel:`Replica Set Name` when 
   filling in your connection information.
 
-- If you are using Kerberos as your authentication mechanism, do not 
-  specify the :guilabel:`Password` in the connection form.
-
 - .. include:: /includes/fact-non-genuine-warning.rst
 
 Connect

source/images/compass/run-compass-as-user.png

@@ -143,9 +143,14 @@ content: |
                  its authentication mechanism. If selected, you must
                  provide the :manual:`Principal </core/kerberos/#principals>`
                  and :guilabel:`Service Name` to authenticate the user. 
-                 Leave the :guilabel:`Password` field blank. 
+                 
+                 .. important::
+
+                    When authenticating with Kerberos, do not
+                    specify the :guilabel:`Password` in the connection
+                    form.
 
-                 You can also direct |compass| to
+                 You can direct |compass| to
                  :guilabel:`Canonicalize the Host Name` by setting the
                  corresponding toggle. When you enable this setting,
                  Kerberos uses the canonicalized form of the
@@ -156,6 +161,55 @@ content: |
                  canonicalization in Kerberos, see `this RFC document
                  <https://tools.ietf.org/html/rfc6806.html>`__.
 
+                 Authenticate as a Different Kerberos User on Windows
+                   When you authenticate with Kerberos on Windows, the
+                   :guilabel:`Principal` must be the same as the
+                   principal of the security context that
+                   |compass-short| is running. Normally, this is the
+                   logged-in user who is running |compass-short|.
+
+                   To authenticate as a different Kerberos user, you can
+                   run |compass| as the desired user, and instead
+                   specify the :guilabel:`Principal` for that user.
+
+                   To run |compass| as a different user, you can
+                   either:
+
+                   - Hold :guilabel:`Shift` and right-click the
+                     |compass| program icon to select
+                     :guilabel:`Run as a different user`.
+
+                     .. figure:: /images/compass/run-compass-as-user.png
+                        :figwidth: 500px
+                   
+                   - Use the ``runas`` command-line tool.
+
+                     .. example::
+
+                         To run |compass| as a user named ``admin``:
+
+                         .. code-block:: none
+
+                           runas /profile /user:mymachine\admin <path to MongoDB Compass>
+
+                   After you run |compass| as the desired user, to
+                   authenticate against your Kerberos-enabled MongoDB
+                   deployment, specify the :guilabel:`Principal` for the
+                   corresponding user.
+
+                   .. important::
+
+                       You must run |compass| as the user you wish to
+                       authenticate with. If you simply specify the
+                       desired user :guilabel:`Principal` without running
+                       |compass| as that user, authentication fails.
+
+                   .. seealso::
+
+                      To learn more about the ``runas`` command-line
+                      tool, see `Runas
+                      <https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11)>`__.
+
              - id: ldap
                name: LDAP
                content: |