Documentation Home
Security in MySQL
Related Documentation Download this Excerpt
PDF (US Ltr) - 0.8Mb
PDF (A4) - 0.8Mb
EPUB - 231.1Kb
HTML Download (TGZ) - 169.1Kb
HTML Download (Zip) - 179.2Kb

Security in MySQL  /  ...  /  The Windows Native Authentication Plugin

5.7.4 The Windows Native Authentication Plugin


The Windows authentication plugin is an extension included in MySQL Enterprise Edition, a commercial product. To learn more about commercial products, see

As of MySQL 5.5.16, MySQL Enterprise Edition for Windows includes an authentication plugin that performs external authentication on Windows, enabling MySQL Server to use native Windows services to authenticate client connections. Users who have logged in to Windows can connect from MySQL client programs to the server based on the information in their environment without specifying an additional password.

The client and server exchange data packets in the authentication handshake. As a result of this exchange, the server creates a security context object that represents the identity of the client in the Windows OS. This identity includes the name of the client account. The Windows authentication plugin uses the identity of the client to check whether it is a given account or a member of a group. By default, negotiation uses Kerberos to authenticate, then NTLM if Kerberos is unavailable.

The Windows authentication plugin provides these capabilities:

  • External authentication: The plugin enables MySQL Server to accept connections from users defined outside the MySQL grant tables.

  • Proxy user support: The plugin can return to MySQL a user name different from the client user. This means that the plugin can return the MySQL user that defines the privileges the external Windows-authenticated user should have. For example, a Windows user named joe can connect and have the privileges of the MySQL user named developer.

The following table shows the plugin and library file names. The file location must be the directory named by the plugin_dir system variable. For installation information, see Section, “Installing the Windows Authentication Plugin”.

Table 5.4 MySQL Windows Authentication Plugin

Server-side plugin nameauthentication_windows
Client-side plugin nameauthentication_windows_client
Library object file nameauthentication_windows.dll

The library file includes only the server-side plugin. As of MySQL 5.5.13, the client-side plugin is built into the libmysqlclient client library.

The server-side Windows authentication plugin is included only in MySQL Enterprise Edition. It is not included in MySQL community distributions. The client-side plugin is included in all distributions, including community distributions. This permits clients from any 5.5.13 or newer distribution to connect to a server that has the server-side plugin loaded.

The Windows authentication plugin is supported on any version of Windows supported by MySQL 5.5 (see It requires MySQL Server 5.5.16 or newer.

For general information about pluggable authentication in MySQL, see Section 5.6, “Pluggable Authentication”. For proxy user information, see Section 5.8, “Proxy Users”.

Download this Excerpt
PDF (US Ltr) - 0.8Mb
PDF (A4) - 0.8Mb
EPUB - 231.1Kb
HTML Download (TGZ) - 169.1Kb
HTML Download (Zip) - 179.2Kb
User Comments
Sign Up Login You must be logged in to post a comment.