The Windows authentication plugin is a commercial extension. To learn more about commercial products (MySQL Enterprise Edition), see http://www.mysql.com/products/.
As of MySQL 5.5.16, commercial distributions of MySQL for Windows include an authentication plugin that performs external authentication on Windows, enabling MySQL Server to use native Windows services to authenticate client connections. Users who have logged in to Windows can connect from MySQL client programs to the server based on the information in their environment without specifying an additional password.
The client and server exchange data packets in the authentication handshake. As a result of this exchange, the server creates a security context object that represents the identity of the client in the Windows OS. This identity includes the name of the client account. The Windows authentication plugin uses the identity of the client to check whether it is a given account or a member of a group. By default, negotiation uses Kerberos to authenticate, then NTLM if Kerberos is unavailable.
The Windows authentication plugin provides these capabilities:
External authentication: The plugin enables MySQL Server to accept connections from users defined outside the MySQL grant tables.
Proxy user support: The plugin can return to MySQL a user
name different from the client user. This means that the
plugin can return the MySQL user that defines the privileges
the external Windows-authenticated user should have. For
example, a Windows user named
connect and have the privileges of the MySQL user named
The following table shows the plugin and library file names. The
file location must be the directory named by the
plugin_dir system variable. For
installation information, see
Section 188.8.131.52, “Installing the Windows Authentication Plugin”.
Table 5.4 MySQL Windows Authentication Plugin
|Server-side plugin name|
|Client-side plugin name|
|Library object file name|
The library file includes only the server-side plugin. As of
MySQL 5.5.13, the client-side plugin is built into the
libmysqlclient client library.
The server-side Windows authentication plugin is included only in commercial distributions. It is not included in MySQL community distributions. The client-side plugin is included in all distributions, including community distributions. This permits clients from any 5.5.13 or newer distribution to connect to a server that has the server-side plugin loaded.
The Windows authentication plugin is supported on any version of Windows supported by MySQL 5.5 (see http://www.mysql.com/support/supportedplatforms/database.html). It requires MySQL Server 5.5.16 or newer.