Beginning with MySQL 8.0.26, MySQL Enterprise Edition supports an authentication method that enables users to authenticate to MySQL Server using Kerberos, provided that appropriate Kerberos tickets are available or can be obtained. Kerberos-based pluggable authentication is a part of MySQL Enterprise security. This method of authentication essentially enables you to integrate MySQL security with existing security infrastructure like Microsoft Active Directory or Azure AD.
The same user names, passwords, and permissions can be used to enhance security by leveraging existing AD rules for strong password enforcement, password expiry, etc.
MySQL Native Kerberos Authentication enables customers to leverage existing Kerberos authentication infrastructure such as single sign-on. Both MIT (GSSAPI) and Microsoft (SSPI) Kerberos implementations are supported.
<p class="info">Kerberos Server Side plugin used for Microsoft AD integration with MySQL is only available for MySQL Enterprise Edition from 8.0.26</p>
Integrate existing AD to MySQL Enterprise hosted in Linux in 3 steps
- Microsoft AD or Azure AD.
- Sufficient privileges to create a AD user in Windows AD Domain Controller or Azure.
- Connectivity between Domain Controller (DC) to Linux Server. Appropriate TCP/UDP ports needs to be allowed, and whitelisted to Security Groups or Firewalls.
- ~ Windows AD DNS port: 53
- ~ Windows AD Kerberos port: 88,750
- ~ MySQL Server port for Client: Default 3306.
- For this experiment, we used AD domain/forest as tessellpoc.com and user as <user_name>@tessellpoc.com for credentials.
For example below we have used Microsoft AD implementation from AWS Directory Services.
For creating a new AD in AWS please refer Active Directory – AWS Directory Service – AWS.
Enable Kerberos in Linux and authenticate to Active Directory Server
- Install Kerberos Client Libraries in MySQL Server.
- Obtain AD Domain Controller Server IP address by login to AD Server.
- Test whether telnet successful to DC from MySQL Server.
- ~ Make a manual entry in /etc/hosts file in in MySQL Server if unable to resolve DNS
- Configure Kerberos Client file (krb5.conf) as following.
- ~ Configure REALM name (in uppercase).
- ~ default_realm if needed to authenticate with only user name instead of user@REALM
- ~ default_enctypes, permitted_enctypes as per requirement. We are using AES256_CTS - 256 bit encryption that is compatible in current use case.
- ~ More info: krb5.conf — MIT Kerberos Documentation
- Create AD user in Windows AD. This user is also going to be used for connecting to MySQL Server. Ignore if user is already created.
<p class="info">KerberosEncryptionType variable needs to adjusted as per encryption method configured.</p>
- Test AD user authentication in Linux server using kinit.
Enable Kerberos Server Side plugin in MySQL Enterprise
- Server side plugin file authentication_kerberos.so is already present with MySQL Enterprise software distribution under <default installation path>/lib/plugin/
- ~ Modify or Add following Server side variables in my.cnf.
<p class="info">Format for SPN is <service name>/<AD Server>@<REALM NAME>
- Alternatively we can load the plugin at runtime using below steps.
- Check Plugin status
- Create MySQL User with same user name as AD user as below. You can repeat this for
Map MySQL SPN to AD user for authentication
- In Windows AD, create a keytab file for AD user and map it with MySQL Kerberos SPN (Service Principal Name). Only one user can be mapped to SPN. Typically this user should be MySQL master/admin user or AD Admin user.
- Copy Keytab file to MySQL Server directory as mentioned in the MySQL variable. This will validate SPN registered in MySQL variable with the AD Server.
- Ensure permissions and owner for mysql.keytab file
- Get TGT tickets using kinit and klist in Linux Server.
- Validate if TGT ticket is available and created
- Use MySQL Client to authenticate. Here we are using the MySQL client which resides in the MySQL Server.
- Login success with Kerberos based AD authentication.
- For use with client different with Server host, follow same steps for enabling Kerberos client in Linux.
We can now successfully integrate AD authentication leveraging advanced security features and ease of user credential management using readily available plugins for MySQL Enterprise edition.