As of MySQL 5.5.16, commercial distributions of MySQL for Windows include an authentication plugin that performs external authentication on Windows, enabling MySQL Server to use native Windows services to authenticate client connections. Users who have logged in to Windows can connect from MySQL client programs to the server based on the information in their environment without specifying an additional password.

The client and server exchange data packets in the authentication handshake. As a result of this exchange, the server creates a security context object that represents the identity of the client in the Windows OS. This identity includes the name of the client account. The Windows authentication plugin uses the identity of the client to check whether it is a given account or a member of a group. By default, negotiation uses Kerberos to authenticate, then NTLM if Kerberos is unavailable.

The Windows authentication plugin provides these capabilities:

The following table shows the plugin and library file names. The file location must be the directory named by the plugin_dir system variable. For installation information, see Section 5.6.3.1, “Installing the Windows Authentication Plugin”.

The library file includes only the server-side plugin. As of MySQL 5.5.13, the client-side plugin is built into the libmysqlclient client library.

The server-side Windows authentication plugin is included only in commercial distributions. It is not included in MySQL community distributions. The client-side plugin is included in all distributions, including community distributions. This permits clients from any 5.5.13 or newer distribution to connect to a server that has the server-side plugin loaded.

The Windows authentication plugin should work on Windows 2000 Professional and up. It requires MySQL Server 5.5.16 or newer.

For general information about pluggable authentication in MySQL, see Section 5.6, “Pluggable Authentication”. For proxy user information, see Section 5.7, “Proxy Users”.