Windows Native Authentication for MySQL
By rsomla on Oct 11, 2011
For password-less connections to work, server's administrator must install the WNA plugin in the server and create user accounts which use this plugin for authentication. It is also possible to allow connections to existing MySQL accounts via a proxy WNA account. With this setup Windows clients can password-less connect to the proxy account, and then proxy configuration selects the final MySQL account based on client's Windows credentials (user name or group membership). Detailed instructions on how to install the WNA plugin and setup and configure WNA accounts are given in the documentation.
Internally, WNA plugin usses Windows SSPI API to create a shared security context between client and server, which allows server to read client's credentials. For this to work, obviously both client and server must run on a Windows machine. Additionally, both computers must be registered inside a Windows domain (in which case Windows internally uses Kerberos authentication). If this is not the case then password-less connections are still possible but only from the same computer on which server is running (in which case NTLM authentication is used).
Note that whether native Windows authentication is used or not entirely depends on the MySQL account to which a client tries to connect. If that account is configured by DBA to authenticate using WNA plugin, then this is the only option for that account - a client can connect to it only if the client supports WNA and is run by an authorized Windows user. It can not fall-back to the standard MySQL password authentication, as well as it can not request native Windows authentication when connecting to a non WNA account.
At the moment, client support for WNA plugin is implemented mainly in the libmysql client library which is shipped with MySQL 5.5.16 (the community version). This support is built into the library and does not require any additional configuration. If your client uses this version of libmysql for connecting to the server it should be able to connect to WNA accounts.
Note that if the client is using a connector library like Connector/C++ and that library links to libmysql dynamically, then configuring the dynamic linker to use version 5.5.16 or later of libmysql will enable WNA support in your client application. If, however, the client uses libmysql based connector which is statically linked to an older version of the library (as is the case with Connector/ODBC), then it will not work with WNA plugin.
Some connectors do not use libmysql but have their own implementation of the MySQL client-server protocol (for example Connector/Java). These connectors will require changes in their implementation of the protocol to support WNA plugin.
Here is a table summarizing which of MySQL connector products support WNA plugin at the moment:
|Connector/C++||1.1.0||yes||if dynamically linked with libmysql 5.5.16+|
|Connector/ODBC||3.51.29 & 5.1.9||yes|
|Connector/Java||5.1.18||no||will not happen very soon|
|Connector/PHP||5.3||no||no plans to support WNA in PHP|