Using the Aurora MySQL Kerberos login to connect to the DB cluster Kerberos authentication with Aurora global databases Migrating from RDS for MySQL to Aurora MySQL Preventing ticket caching Logging for Kerberos authentication

Connecting to Aurora MySQL with Kerberos authentication

To avoid errors, use a MySQL client with version 8.0.26 or higher on Unix platforms, 8.0.27 or higher on Windows.

To connect to Aurora MySQL with Kerberos authentication, you log in as a database user that you created using the instructions in Step 6: Create Aurora MySQL users that use Kerberos authentication.

At a command prompt, connect to one of the endpoints associated with your Aurora MySQL DB cluster. When you're prompted for the password, enter the Kerberos password associated with that username.

When you authenticate with Kerberos, a ticket-granting ticket (TGT) is generated if one doesn't already exist. The authentication_kerberos plugin uses the TGT to get a service ticket, which is then presented to the Aurora MySQL database server.

You can use the MySQL client to connect to Aurora MySQL with Kerberos authentication using either Windows or Unix.

You can connect by using either one of the following methods:

Obtain the TGT manually. In this case, you don't need to supply the password to the MySQL client.
Supply the password for the Active Directory login directly to the MySQL client.

The client-side plugin is supported on Unix platforms for MySQL client versions 8.0.26 and higher.

To connect by obtaining the TGT manually

At the command line interface, use the following command to obtain the TGT.
```
kinit user_name
```
Use the following mysql command to log in to the DB instance endpoint of your DB cluster.
```
mysql -h DB_instance_endpoint -P 3306 -u user_name -p
```
Note
Authentication can fail if the keytab is rotated on the DB instance. In this case, obtain a new TGT by rerunning kinit.

To connect directly

At the command line interface, use the following mysql command to log in to the DB instance endpoint of your DB cluster.
```
mysql -h DB_instance_endpoint -P 3306 -u user_name -p
```
Enter the password for the Active Directory user.

On Windows, authentication is usually done at login time, so you don't need to obtain the TGT manually to connect to the Aurora MySQL DB cluster. The case of the database username must match the character case of the user in the Active Directory. For example, if the user in the Active Directory appears as Admin, the database username must be Admin.

The client-side plugin is supported on Windows for MySQL client versions 8.0.27 and higher.

To connect directly

At the command line interface, use the following mysql command to log in to the DB instance endpoint of your DB cluster.
```
mysql -h DB_instance_endpoint -P 3306 -u user_name
```

Kerberos authentication with Aurora global databases

Kerberos authentication for Aurora MySQL is supported for Aurora global databases. To authenticate users on the secondary DB cluster using the Active Directory of the primary DB cluster, replicate the Active Directory to the secondary AWS Region. You turn on Kerberos authentication on the secondary cluster using the same domain ID as for the primary cluster. AWS Managed Microsoft AD replication is supported only with the Enterprise version of Active Directory. For more information, see Multi-Region replication in the AWS Directory Service Administration Guide.

Migrating from RDS for MySQL to Aurora MySQL

After you migrate from RDS for MySQL with Kerberos authentication enabled to Aurora MySQL, modify users created with the auth_pam plugin to use the authentication_kerberos plugin. For example:


ALTER USER user_name IDENTIFIED WITH 'authentication_kerberos' BY 'realm_name';

Preventing ticket caching

If a valid TGT doesn't exist when the MySQL client application starts, the application can obtain and cache the TGT. If you want to prevent the TGT from being cached, set a configuration parameter in the /etc/krb5.conf file.

Note

This configuration only applies to client hosts running Unix, not Windows.

To prevent TGT caching

Add an [appdefaults] section to /etc/krb5.conf as follows:


[appdefaults]
  mysql = {
    destroy_tickets = true
  }

Logging for Kerberos authentication

The AUTHENTICATION_KERBEROS_CLIENT_LOG environment variable sets the logging level for Kerberos authentication. You can use the logs for client-side debugging.

The permitted values are 1–5. Log messages are written to the standard error output. The following table describes each logging level.

Logging level	Description
1 or not set	No logging
2	Error messages
3	Error and warning messages
4	Error, warning, and information messages
5	Error, warning, information, and debug messages

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Setting up Kerberos authentication for Aurora MySQL

Managing a DB cluster in a domain