AWS Database Blog
Use Kerberos authentication with Amazon Aurora MySQL
Amazon Aurora MySQL-Compatible Edition offers multiple authentication methods to securely authenticate database user access and meet different security needs. The most common method of authentication is using a user name and password. This can create additional overhead for both users and database administrators to manage and rotate these credentials; it also requires additional investments in auditing and governance.
Amazon Aurora MySQL now supports Microsoft Active Directory (AD) authentication using Kerberos for Amazon Aurora MySQL version 3.03 and higher. With support for AWS Directory Service for Microsoft Active Directory integration, you can manage database users in a centralized location and use single sign-on to authenticate database users.
In this post, we discuss how to integrate self-managed Microsoft AD with AWS Managed Microsoft AD, enable Kerberos authentication in Amazon Aurora MySQL, and authenticate with Kerberos from Windows and Linux clients.
Kerberos authentication
Kerberos functions as a network authentication protocol enabling resources to mutually verify identities across untrusted networks. This capability allows Amazon Aurora MySQL to integrate with centralized authentication services such as Microsoft AD, which inherently supports Kerberos.
The Kerberos authentication workflow consists of the following steps in MySQL:
- The client application receives its service principal name (SPN) from Amazon Aurora MySQL.
- Kerberos authentication in MySQL uses Generic Security Application Program Interface (GSSAPI). With GSSAPI, the client application initiates a Kerberos client-side authentication session and communicates using Kerberos messages with the Kerberos Key Distribution Center (KDC).
- Using a ticket-granting ticket (TGT), the client obtains a service ticket for Amazon Aurora MySQL from the ticket-granting service.
- Through GSSAPI, the client application forwards the MySQL service ticket to Amazon Aurora MySQL.
- Through GSSAPI, Amazon Aurora MySQL initiates a Kerberos service-side authentication session. It verifies the user’s identity and the legitimacy of the user’s request.
For detailed information on Kerberos authentication in MySQL, see Kerberos Pluggable Authentication.
Solution overview
To simulate the self-managed Microsoft AD environment, you can create the Active Directory in an Amazon Elastic Compute Cloud (Amazon EC2) instance running in a VPC, AWS Managed Microsoft AD in a separate VPC, and a one-way forest trust between them. For more information about preparing the environment, see Preparing on-premises and AWS environments for external Kerberos authentication for Amazon RDS.
The following diagram illustrates the high-level architecture of the self-managed and AWS-managed environment.
Prerequisites
In this post, we assume you already have a self-managed Active Directory and have established a trust relationship between the self-managed and AWS-managed AD. For this post, we use an AWS Managed Microsoft AD domain named ad.myaws.com and a self-managed AD domain named onprem.local. To access the Aurora MySQL cluster located in a separate VPC, we enabled VPC peering to establish network connectivity and enabled a one-way forest trust to facilitate name suffix routing. This will allow Kerberos authentication between two Active Directory forests. To enable the forest trust, complete the following steps:
- In your self-managed AD, create a new conditional forwarder to forward the DNS request to the AWS-managed AD.
- Create a one-way incoming forest trust to the AWS-managed AD.
- Create a one-way outgoing forest trust to the self-managed AD from your AWS-managed AD.
For detailed information about these steps, see Preparing on-premises and AWS environments for external Kerberos authentication for Amazon RDS.
The following screenshot shows our AWS-managed AD.
Create a new Aurora cluster
Create a new Aurora MySQL cluster with 3.03 version or higher and enable the Kerberos authentication, then choose the AWS-managed AD that you want to associate with the cluster. If the Aurora MySQL cluster is already created, you can modify it to allow Kerberos authentication, as shown in the following screenshot.
It will take a few minutes for the new change to take into effect. You can confirm the modification is successfully applied to the instance either using the AWS Management Console or AWS Command Line Interface (AWS CLI). The following AWS CLI command shows the domain membership of the Aurora MySQL cluster:
When enabling Kerberos authentication for an existing DB cluster, reboot all the instances within the cluster after applying the modification. See Setting up Kerberos authentication for Aurora MySQL clusters for instructions.
Create an AD domain user
Create the AD domain user based on your business security policies. For this post, we create the user joedoe@ONPREM.LOCAL
, as shown in the following screenshot. We use this user to connect to the Aurora MySQL instance using Kerberos authentication.
Create a database user
Connect to the Aurora MySQL cluster using the admin user and verify Kerberos authentication is enabled:
[ec2-user@ip-10-0-3-4 ~]$ mysql -h aurora-kerberos.cluster-xxyzzz.ap-southeast-2.rds.amazonaws.com -u admin -p
Create a user for Kerberos authentication and confirm its validity. Provide the user with the essential permissions. The following command illustrates the process of creating a database user named joedoe to connect via Kerberos authentication from the ONPREM.LOCAL domain:
Connect to Amazon Aurora MySQL from Windows
To connect from Windows, RDP into the Windows client machine using the domain user joedoe that was created in the self-managed AD. Create a Kerberos configuration file named krb5.conf on the Windows client machine. In this setup, the krb5.conf file should include the following details:
Additionally, set the environment variable KRB5_CONFIG
to point to the location of the krb5.conf file. For example, we set the variable in the Windows client machine as follows:
SET KRB5_CONFIG=C:\Program Files\MySQL\MySQL Server 8.0\krb5.conf
To set this variable permanently, create a Windows system environment variable. To create a ticket granting ticket and save it in the Kerberos credential cache, install MIT Kerberos ticket manager from the MIT Kerberos Distribution Page. After installation, generate the ticket for the domain user, in this case joedoe@ONPREM.LOCAL.
We have configured all the prerequisites to connect to Amazon Aurora MySQL from the Windows client machine. Now let’s go connect to the Aurora MySQL cluster using Windows command line.
Parameter | Description |
-h |
Aurora cluster end-point |
-u |
AD user name |
-plugin-authentication-kerberos-client-mode |
Specifies client authentication plugin mode. GSSAPI mode to enable authentication through MIT Kerberos library. |
-plugin-dir |
Specifies the client program the location of the authentication_kerberos_client plugin. |
To connect from MySQL Workbench using Kerberos authentication, complete the following steps:
- For Connection Method, choose NativeKerberos.
- On the Parameters tab, provide the following information:
- For Hostname, enter the Aurora MySQL cluster endpoint.
- For Username, enter the Aurora MySQL user name that was created for the Kerberos authentication.
- For Kerberos Mode, select GSS API Authentication.
- On the Advanced tab, configure the following variables:
- For Path to plugin directory, enter the path to MySQL Server client plugin directory.
- For Kerberos configuration path, enter the path to the Kerberos configuration file.
- Choose Test Connection to test the connection to MySQL Workbench.
- When the test is successful, choose OK, then choose OK to complete your connection.
Connect to Amazon Aurora MySQL from Linux
To connect from Linux, SSH into your Linux machine using the domain user joedoe. Verify the Linux machine joined to the domain using the following command:
The Kerberos client may not be installed on all the Linux machines by default. To install the Kerberos client on Amazon Linux 2, use the following command:
yum install krb5-workstation krb5-libs krb5-auth-dialog
Configure realms and domain_realm
in the krb5.conf file based on your Active Directory domain in the client machine. For example, the following is the modified krb5.conf file for our test environment:
The Kerberos authentication method is supported from MySQL version 8.0.26 and higher, so install the mysql-client version 8.0.26 or higher. After installing, check the MySQL client version:
Before we connect to the Aurora MySQL server, we need to obtain the ticket-granting ticket from the Microsoft Active Directory (KDC) using the kinit command by providing a Kerberos user principal name and the principal password:
Connect to the Aurora MySQL server using Kerberos authentication without specifying the password:
Clean up
When you’re done with the solution, delete the resources you created to avoid ongoing charges.
Conclusion
In this post, we illustrated the authentication process for a DB user in Amazon Aurora MySQL using external Kerberos and Microsoft AD. This setup relies on a one-way forest trust established between a self-managed AD domain and an AWS Managed Microsoft AD domain. Implementing this configuration enhances flexibility and simplifies the complexity for users who choose Kerberos for their database authentication.
For more information, see Using Kerberos authentication for Aurora MySQL.
About the Authors
Surendar Munimohan is a Sr. Database Solutions Architect with Amazon Web Services. He has more than a decade of experience working with relational databases and architecting highly scalable applications in the AWS. In his current role, he works with customers to design scalable, highly available, secure, and cost-effective solutions in the AWS Cloud.
Zhen Wang is a Sr. Technical Account Manager with Amazon Web Services. He works backwards from his Enterprise Support customers to craft support strategies, deliver expert advice on AWS services with the goal of achieving operational excellence in the AWS Cloud.
Sai Kiran Kshatriyais an Amazon Web Services Database Specialist Solutions Architect who specializes in Relational Databases. He offers customers technical assistance, operational guidance, and best practices for databases.