MySQL Enterprise Edition for Windows supports authentication methods that perform external authentication on Windows, enabling MySQL Server to use native Windows services to authenticate client connections. Users logged into Windows can connect to the server from the MySQL client program based on information in their environment without specifying an additional password.
Client and server exchange data packets in an authentication handshake. As a result of this exchange, the server creates a security context object that represents the client's identity in the Windows operating system. This ID includes the name of the client account. Windows Pluggable Authentication uses the client's identity to check whether it is a member of a given account or group. By default, Negotiate uses Kerberos for authentication, or NTLM for authentication if Kerberos is not available.
Windows Pluggable Authentication provides the following features:
● External authentication: Windows authentication enables MySQL Server to accept connections from Windows-logged-in users defined outside the MySQL authorization tables.
● Proxy user support: Windows authentication can return a user name to MySQL that is different from the external user name passed by the client program. This means that a plugin can return a MySQL user that defines the privileges that an external Windows authenticated user should have. For example, a Windows user named joe can connect and have the privileges of the MySQL user developer.
Plugin and library names
| plugin or file |
plugin or file name |
| Server-side plugin |
authentication_windows |
| Client-side plugin |
authentication_windows_client |
| Library file |
authentication_windows.dll |
The library files only include server-side plug-ins. The client plugin is built into the libmysqlclient client library.
The server-side Windows Authentication plugin is only included with MySQL Enterprise Edition. It is not included in the MySQL community distribution. Client plugins are included in all distributions, including community distributions. This enables clients from any distribution to connect to servers loaded with server-side plugins.
Install Windows Pluggable Authentication
To be used by the server, plugin library files must be located in the MySQL plugin directory (the directory named by the plugin_dir system variable). If necessary, configure the plugin directory location by setting the value of plugin_dir on server startup.
To load a plugin at server startup, use the --plugin-load-add option to name the library file that contains the plugin. With this plugin loading method, this option must be given every time the server starts. For example, put these lines in the server my.cnf file:
[mysqld]
plugin-load-add=authentication_windows.dllAfter modifying my.cnf, restart the server for the new settings to take effect.
Alternatively, to load the plugin at runtime, use the following statement:
INSTALL PLUGIN authentication_windows SONAME 'authentication_windows.dll';INSTALL PLUGIN loads the plugin immediately and registers it in the mysql.plugins system table so that the server loads it on each subsequent normal startup without --plugin-load-add
To verify plugin installation, check the Information Schema PLUGINS table or use the SHOW PLUGINS statement. For example:
SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE '%windows%';
+------------------------+---------------+
| PLUGIN_NAME | PLUGIN_STATUS |
+------------------------+---------------+
| authentication_windows | ACTIVE |
+------------------------+---------------+If the plugin fails to initialize, check the server error log for diagnostic messages.
Uninstall Windows Pluggable Authentication
The method used to uninstall the Windows Authentication plugin depends on how you installed it:
● If you installed the plugin with the --plugin-load-add option at server startup, restart the server without this option.
● If you install a plug-in at runtime using the INSTALL PLUGIN statement, it remains installed across server restarts. To uninstall it, use UNINSTALL PLUGIN:
UNINSTALL PLUGIN authentication_windows;Also, remove any startup options that set Windows plugin-related system variables.
Using Windows Pluggable Authentication
The Windows Authentication plugin supports the use of MySQL accounts so that users logged into Windows can connect to the MySQL server without specifying an additional password. Assuming the server is running with server-side plugins enabled,
Create a MySQL account named sql_admin that uses the Windows plugin for authentication:
CREATE USER sql_admin IDENTIFIED WITH authentication_windows AS 'Rafal, Tasha, Administrators, "Power Users"';The plugin name is authentication_windows. The string following the AS keyword is the authentication string. It specifies that a Windows user named Rafal or Tasha is allowed to authenticate to the server as the MySQL user sql_admin , as does any Windows user in the Administrators or Power users groups. The latter group name contains a space and therefore must be enclosed in double quote characters.
After creating the sql_admin account, a user logged into Windows can try to connect to the server using that account:
mysql --user=sql_adminNo password is required here. The authentication_windows plugin checks the connecting windows user using the windows security API. If the user is named Rafal or Tasha, or is a member of the Administrators or Power Users group, the server will grant access and the client will be authenticated as sql_admin with any privileges granted to the sql_admin account. Otherwise, the server will deny access.
The authentication string syntax for the Windows Authentication Plugin follows the following rules:
● The string consists of one or more user mappings separated by commas.
● Each user mapping associates a Windows user or group name with a MySQL user name:
win_user_or_group_name=mysql_user_name
win_user_or_group_nameFor the latter syntax, when no value for mysql_user_name is given, the implicit value is the mysql user created by the CREATE user statement. Therefore, these statements are equivalent:
CREATE USER sql_admin IDENTIFIED WITH authentication_windows AS 'Rafal, Tasha, Administrators, "Power Users"';
CREATE USER sql_admin IDENTIFIED WITH authentication_windows AS 'Rafal=sql_admin, Tasha=sql_admin, Administrators=sql_admin, "Power Users"=sql_admin';● Each backslash character (\) in the value must be doubled, because backslashes are escape characters in MySQL strings.
● Leading and trailing spaces not within double quotes are ignored.
● Unquoted win_user_or_group_name and mysql_user_name values can contain anything except equal signs, commas, or spaces.
● If the win_user_or_group_name and/or mysql_user_name values are quoted in double quotes, everything between the quotes is part of the value. This is necessary, for example, if the name contains space characters. All characters inside double quotes are legal except double quotes and backslashes. To include double quotes and backslashes, escape them with a backslash.
● The win_user_or_group_name value uses traditional syntax for Windows principals, whether local or in the domain. Example (note the doubling of backslashes):
domain\\user
.\\user
domain\\group
.\\group
BUILTIN\\WellKnownGroupWhen the server calls the plug-in to authenticate the client, the plug-in scans the authentication string from left to right, looking for a user or group that matches a Windows user. If there is a match, the plugin will return the corresponding mysql_user_name to the mysql server. If there is no match, authentication fails.
Username matching takes precedence over groupname matching. Assuming a Windows user named win_user is a member of win_group, the authentication string looks like this:
'win_group = sql_user1, win_user = sql_user2'When win_user connects to the MySQL server, both win_group and win_user match. The plugin authenticates the user as sql_user2 because more specific user matches take precedence over group matches, even if group is listed first in the authentication string.
Windows authentication always works for connections from the same machine the server is running on. For cross-computer connections, both computers must be registered in Microsoft Active Directory. If they are in the same Windows domain, there is no need to specify the domain name. Connections from different domains can also be allowed, as in this example:
CREATE USER sql_accounting IDENTIFIED WITH authentication_windows AS 'SomeDomain\\Accounting';Here SomeDomain is the name of another domain. The backslash character is doubled because it is a MySQL escape character in a string.
MySQL supports the concept of proxy users, where a client can use one account to connect and authenticate to the MySQL server, but have the privileges of another account when connecting. Suppose you want Windows users to connect using a single username, but be mapped to specific MySQL accounts based on their Windows user and group names, as follows:
● local_user and MyDomain\domain_user Local and domain Windows users should be mapped to the local_wlad MySQL account.
● Users in the MyDomain\Developers domain group should be mapped to the local_dev MySQL account.
● The local computer administrator should be mapped to the local_admin MySQL account.
To set this up, create a proxy account for Windows users to connect to, and configure this account so that users and groups are mapped to the corresponding MySQL accounts (local_wlad, local_dev, local_admin). Also, grant the appropriate privileges to the MySQL accounts to perform the operations they need to perform. The following instructions use win_proxy as the proxy account, and local_wlad, local_dev, and local_admin as the proxy accounts.
1. Create a proxy MySQL account:
CREATE USER win_proxy IDENTIFIED WITH authentication_windows AS 'local_user = local_wlad, MyDomain\\domain_user = local_wlad, MyDomain\\Developers = local_dev, BUILTIN\\Administrators = local_admin';2. For the proxy to work, the proxy's account must exist, so create them:
CREATE USER local_wlad IDENTIFIED WITH mysql_no_login;
CREATE USER local_dev IDENTIFIED WITH mysql_no_login;
CREATE USER local_admin IDENTIFIED WITH mysql_no_login;
代理帐户使用 mysql_no_login 身份验证插件来防止客户端使用这些帐户直接登录mysql服务器。相反,使用Windows进行身份验证的用户应该使用 win_proxy 代理帐户。Grant each proxy account the required privileges for MySQL access (not demonstrated here).
3. Grant the proxy accounts proxy permissions for each proxy account:
GRANT PROXY ON local_wlad TO win_proxy;
GRANT PROXY ON local_dev TO win_proxy;
GRANT PROXY ON local_admin TO win_proxy;Windows users local_user and MyDomain\domain_user can now connect to the MySQL server as win_proxy and, when authenticated, have the privileges of the account given in the authentication string (local_wlad in this case). A user connecting as win_proxy in the MyDomain\Developers group has permissions for the local_dev account. Users in the BUILTIN\Administrators group have the permissions of the local_admin account.
To configure authentication so that all Windows users who do not have their own MySQL account go through the proxy account, replace win_proxy with the default proxy account (''@'') in the preceding instructions.
Explanation: If MySQL is installed with anonymous users, they may conflict with the default proxy user.