5.3.4.3 Native Kerberos

The Native Kerberos connections method authenticates a MySQL user with authentication tokens generated by the kinit command. Using this connection method, MySQL Workbench and MySQL servers are able to use the Kerberos authentication protocol to mutually authenticate users and MySQL services. This way both the user and the server are able to verify each other's identity. No passwords are sent over the network and Kerberos protocol messages are protected against eavesdropping and replay attacks.

MySQL Workbench provides the authentication_kerberos_client client-side plugin to support this connection method. It is compatible with the authentication_kerberos server-side plugin, which must be installed and loaded on the MySQL server hosting the connection (see Installing Kerberos Pluggable Authentication).

For server configuration setup details and an operational overview of Kerberos authentication, see:

Connection values for the Native Kerberos connection method include:

Parameters Tab

  • Hostname: The host name or IP address of the MySQL server with an account that has the Kerberos principal name as the user name and that authenticates using the Kerberos plugin.

  • Port: The TCP/IP port number of the server host, such as 3306.

  • Username: User name associated with the MySQL account.

    The client-side Kerberos authentication plugin combines the user name you provide (for example, skylar) and the realm specified in the user account (for example, MYSQL.LOCAL) to construct the user principal name (UPN), such as skylar@MYSQL.LOCAL. The client-side plugin uses the UPN and password to obtain a ticket-granting ticket (TGT), uses the TGT to obtain a MySQL service ticket (ST), and uses the ST to authenticate to the MySQL server.

  • Password: Password associated with the MySQL account. If you enter no password, you might be prompted to enter the password when MySQL Workbench attempts to establish the connection. MySQL Workbench can store the password in a vault.

    Note

    If the kinit command is used to authenticate a Kerberos principal name (outside of MySQL Workbench), MySQL Workbench authorizes the user without checking (or prompting) for a password. This behavior applies even when the password is stored in a vault.

  • Default Schema: When the connection to the server is established, this option sets the schema that becomes the default schema for use in other parts of MySQL Workbench. For simplicity, you can leave the default schema value blank during the initial setup and set the default value later, if needed.

  • Kerberos Mode On Windows, select between Kerberos authentication using the Windows SSPI Kerberos library or GSSAPI through the MIT Kerberos library. Only GSSAPI is permitted on Linux.

    The mode values are:

    • GSS API Authentication (MIT Native) (default value) – The MIT Kerberos cache can be populated using the kinit command. In GSSAPI mode, the ticket search on Windows hosts is restricted to the MIT Kerberos cache only. If the cache has no ticket, the connection fails even if the Windows ticket is valid.

    • SSPI API Authentication (Windows) – The SSPI Kerberos library is not compatible with Java SE security tools (klist, kinit, and so on). In SSPI mode, the authentication method considers the Windows single sign-on ticket only. If the ticket is missing or invalid, the connection fails even if the MIT Kerberos cache contains a valid ticket.

SSL Tab

The SSL options for this connection method are the same as Standard TCP/IP (see SSL Tab).

Advanced Tab

The advanced options for this connection method are similar to Standard TCP/IP (see Advanced Tab), but also include the following options:

  • Path to plugin directory:

    An alternative path might be necessary to ensure that the client-side and server-side plugins remain compatible.

  • Kerberos configuration path:

    Full path name to the Kerberos configuration information on Linux, or on Windows with the GSS API Authentication (MIT Native) Kerberos mode option selected.

  • Kerberos credentials cache:

    Location of the Kerberos credentials (ticket) cache on Linux, or the MIT Kerberos cache on Windows with the GSS API Authentication (MIT Native) Kerberos mode option selected.