Documentation Home
MySQL Connector/NET Developer Guide
Related Documentation Download this Manual
PDF (US Ltr) - 1.3Mb
PDF (A4) - 1.3Mb


MySQL Connector/NET Developer Guide  /  Connector/NET Connections  /  Connector/NET Authentication

4.4 Connector/NET Authentication

MySQL Connector/NET implements a variety of authentication plugins that MySQL Server can invoke to authenticate a user. Pluggable authentication enables the server to determine which plugin applies, based on the user name and host name that your application passes to the server when making a connection. For a complete description of the authentication process, see Pluggable Authentication.

Connector/NET provides the following authentication plugins and methods:

  • mysql_native_password

    Supported for all versions of Connector/NET.

  • sha256_password

    Minimum version: Connector/NET 8.0.11

    Supported for both classic MySQL protocol and X Protocol connections. For additional information on using the MYSQL41 mechanism with X Protocol, see the Auth connection option.

  • caching_sha2_password

    Minimum version: Connector/NET 8.0.11 for classic MySQL protocol connections only.

  • authentication_windows_client

    MySQL Connector/NET applications can authenticate to a MySQL server using the Windows Native Authentication Plugin. Users who have logged in to Windows can connect from MySQL client programs to the server based on the information in their environment without specifying an additional password. The interface matches the MySql.Data.MySqlClient object. To enable, pass in Integrated Security to the connection string with a value of yes or sspi.

    Passing in a user ID is optional. When Windows authentication is set up, a MySQL user is created and configured to be used by Windows authentication. By default, this user ID is named auth_windows, but can be defined using a different name. If the default name is used, then passing the user ID to the connection string from Connector/NET is optional, because it will use the auth_windows user. Otherwise, the name must be passed to the connection string using the standard user ID element.

    Supported for all versions of Connector/NET.

  • authentication_kerberos_client

    Applications and MySQL servers are able use the Kerberos authentication protocol to authenticate users and MySQL services. With pure Kerberos, both the user and the server are able to verify each other's identity. No passwords are ever sent over the network and Kerberos protocol messages are protected against eavesdropping and replay attacks.

    The Defaultauthenticationplugin connection-string option is mandatory for supporting userless and passwordless Kerberos authentications (see Options for Classic MySQL Protocol Only).

    Minimum version: Connector/NET 8.0.26 for classic MySQL protocol connections only. Supported on Linux only.

    MIT Kerberos must be installed on each client system to enable authentication of request tickets for Connector/NET by a MySQL server. The libgssapi_krb5.so.2 library for Linux is required.

  • authentication_ldap_sasl_client

    SASL-based LDAP authentication for Connector/NET requires the Enterprise Edition of MySQL and the authentication protocol applies to applications running on Linux, Windows (partial support), but not macOS.

    Minimum version:

    • Connector/NET 8.0.22 (SCRAM-SHA-1) on Linux and Windows.

    • Connector/NET 8.0.23 (SCRAM-SHA-256) for classic MySQL protocol only on Linux and Windows.

    • Connector/NET 8.0.24 (GSSAPI) for classic MySQL protocol only on Linux only.

      MIT Kerberos must be installed on each client system to enable authentication of request tickets for Connector/NET by a MySQL server. The authentication_ldap_sasl plugin must be configured to use the GSSAPI mechanism and the application user must be identified as follows:

      IDENTIFIED WITH 'authentication_ldap_sasl'

      The libgssapi_krb5.so.2 library for Linux is required.

  • mysql_clear_password

    Minimum version: Connector/NET 8.0.22 for classic MySQL protocol only.

    Requires a secure connection to the server, which is satisfied by either condition at the client:

    • The SslMode connection option has a value other than None (Preferred by default).

    • The ConnectionProtocol connection option is set to unix for Unix domain sockets.