Windows Native Authentication for MySQL

Starting with MySQL 5.5.16 it is possible to setup a password-less connections from clients into MySQL server using Windows SSPI authentication framework. This functionality is provided by Windows Native Authentication (WNA) plugin distributed with the commercial version of 5.5.16 server. The client-side support for WNA authentication is built into the client library (libmysql) distributed with the community version of 5.5.16 server and requires no additional configuration. Clients which link to 5.5.16 or higher version of libmysql will be able to connect to MySQL accounts using WNA authentication out-of-the box.

For password-less connections to work, server's administrator must install the WNA plugin in the server and create user accounts which use this plugin for authentication. It is also possible to allow connections to existing MySQL accounts via a proxy WNA account. With this setup Windows clients can password-less connect to the proxy account, and then proxy configuration selects the final MySQL account based on client's Windows credentials (user name or group membership). Detailed instructions on how to install the WNA plugin and setup and configure WNA accounts are given in the documentation.

Internally, WNA plugin usses Windows SSPI API to create a shared security context between client and server, which allows server to read client's credentials. For this to work, obviously both client and server must run on a Windows machine. Additionally, both computers must be registered inside a Windows domain (in which case Windows internally uses Kerberos authentication). If this is not the case then password-less connections are still possible but only from the same computer on which server is running (in which case NTLM authentication is used).

Note that whether native Windows authentication is used or not entirely depends on the MySQL account to which a client tries to connect. If that account is configured by DBA to authenticate using WNA plugin, then this is the only option for that account - a client can connect to it only if the client supports WNA and is run by an authorized Windows user. It can not fall-back to the standard MySQL password authentication, as well as it can not request native Windows authentication when connecting to a non WNA account.

At the moment, client support for WNA plugin is implemented mainly in the libmysql client library which is shipped with MySQL 5.5.16 (the community version). This support is built into the library and does not require any additional configuration. If your client uses this version of libmysql for connecting to the server it should be able to connect to WNA accounts.

Note that if the client is using a connector library like Connector/C++ and that library links to libmysql dynamically, then configuring the dynamic linker to use version 5.5.16 or later of libmysql will enable WNA support in your client application. If, however, the client uses libmysql based connector which is statically linked to an older version of the library (as is the case with Connector/ODBC), then it will not work with WNA plugin.

Some connectors do not use libmysql but have their own implementation of the MySQL client-server protocol (for example Connector/Java). These connectors will require changes in their implementation of the protocol to support WNA plugin.

Here is a table summarizing which of MySQL connector products support WNA plugin at the moment:


Libmysql 5.5.16 yes
Connector/NET 6.4.4 yes
Connector/C++ 1.1.0 yes if dynamically linked with libmysql 5.5.16+
Connector/ODBC 3.51.29 & 5.1.9 yes
Connector/Java 5.1.18 no will not happen very soon
Connector/PHP 5.3 no no plans to support WNA in PHP

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Oracle Blogs Admin-Oracle

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today