Monday, October 3, 2011

Windows Native Authentication for MySQL

Starting with MySQL 5.5.16 it is possible to setup password-less connections from clients into the MySQL server using the Windows SSPI authentication framework.

This functionality is provided by the Windows Native Authentication (WNA) plugin distributed with the commercial version of 5.5.16 server. The client-side support for WNA authentication is built into the client library (libmysql) distributed with the community version of 5.5.16 server and requires no additional configuration. Clients which link to 5.5.16 or higher version of libmysql will be able to connect to MySQL accounts using WNA authentication out-of-the-box.

For password-less connections to work, the server's administrator must install the WNA plugin in the server and create user accounts which use this plugin for authentication. It is also possible to allow connections to existing MySQL accounts via a proxy WNA account. With this setup Windows clients can password-less connect to the proxy account, and then proxy configuration selects the final MySQL account based on client's Windows credentials (user name or group membership). Detailed instructions on how to install the WNA plugin and setup and configure WNA accounts are given in the documentation.

Internally, the WNA plugin uses Windows SSPI API to create a shared security context between client and server, which allows server to read client's credentials. For this to work, obviously both client and server must run on a Windows machine. Additionally, both computers must be registered inside a Windows domain (in which case Windows internally uses Kerberos authentication). If this is not the case then password-less connections are still possible but only from the same computer on which server is running (in which case NTLM authentication is used).

Note that whether native Windows authentication is used or not entirely depends on the MySQL account to which a client tries to connect. If that account is configured by DBA to authenticate using WNA plugin, then this is the only option for that account - a client can connect to it only if the client supports WNA and is run by an authorized Windows user. It can not fall-back to the standard MySQL password authentication, as well as it can not request native Windows authentication when connecting to a non-WNA account.

At the moment, client support for WNA plugin is implemented mainly in the libmysql client library which is shipped with MySQL 5.5.16 (the community version). This support is built into the library and does not require any additional configuration. If your client uses this version of libmysql for connecting to the server it should be able to connect to WNA accounts.

Note that if the client is using a connector library like Connector/C++ and that library links to libmysql dynamically, then configuring the dynamic linker to use version 5.5.16 or later of libmysql will enable WNA support in your client application. If, however, the client uses libmysql based connector which is statically linked to an older version of the library (as is the case with Connector/ODBC), then it will not work with WNA plugin.

Some connectors do not use libmysql but have their own implementation of the MySQL client-server protocol (for example Connector/Java). These connectors will require changes in their implementation of the protocol to support WNA plugin.

Here is a summary of which MySQL connector products support WNA plugin at the moment:
  • Libmysql 5.5.16: Yes
  • Connector/NET 6.4.4: Yes
  • Connector/C++ 1.1.0: Yes, although not in statically linked version
  • Connector/ODBC 3.51.28 & 5.1.8: No, but watch for coming releases
  • Connector/Java 5.1.17: No, will not happen very soon
  • Connector/PHP 5.3: No, currently no plans to support WNA in PHP
This text was written by Rafal Somla, MySQL Connectors Team.

1 comment:

Anonymous said...

Hi,

I'm trying to access Mysql on which windows authentication plugin is activated. through java.

Can we do it using mysqlconnector? Or by any means in Java?

Thanks in advance