This section describes how to install the Windows authentication plugin. For general information about installing plugins, see Section 5.6.1, “Installing and Uninstalling Plugins”.本节介绍如何安装Windows身份验证插件。有关安装插件的一般信息，请参阅第5.6.1节，“安装和卸载插件”。

To be usable by the server, the plugin library file must be located in the MySQL plugin directory (the directory named by the plugin_dir system variable). 为了让服务器使用，插件库文件必须位于MySQL插件目录（由plugin_dir系统变量命名的目录）中。If necessary, configure the plugin directory location by setting the value of plugin_dir at server startup.如有必要，在服务器启动时通过设置plugin_dir的值来配置插件目录位置。

To load the plugin at server startup, use the --plugin-load-add option to name the library file that contains it. 要在服务器启动时加载插件，请使用--plugin-load-add选项命名包含它的库文件。With this plugin-loading method, the option must be given each time the server starts. For example, put these lines in the server my.cnf file:使用此插件加载方法，每次服务器启动时都必须给出该选项。例如，将以下行放入服务器my.cnf文件中：

[mysqld]
plugin-load-add=authentication_windows.dll

After modifying my.cnf, restart the server to cause the new settings to take effect.修改my.cnf后，重新启动服务器以使新设置生效。

Alternatively, to load the plugin at runtime, use this statement:或者，要在运行时加载插件，请使用以下语句：

INSTALL PLUGIN authentication_windows SONAME 'authentication_windows.dll';

INSTALL PLUGIN loads the plugin immediately, and also registers it in the mysql.plugins system table to cause the server to load it for each subsequent normal startup without the need for --plugin-load-add.INSTALL PLUGIN会立即加载插件，并将其注册到mysql.plugins系统表中，以便服务器在每次后续正常启动时加载它，而不需要--plugin-load-add。

To verify plugin installation, examine the INFORMATION_SCHEMA.PLUGINS table or use the SHOW PLUGINS statement (see Section 5.6.2, “Obtaining Server Plugin Information”). For example:要验证插件安装，请检查INFORMATION_SCHEMA.PLUGINS表或使用SHOW PLUGINS语句（请参阅第5.6.2节，“获取服务器插件信息”）。例如：

mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE '%windows%';
+------------------------+---------------+
| PLUGIN_NAME            | PLUGIN_STATUS |
+------------------------+---------------+
| authentication_windows | ACTIVE        |
+------------------------+---------------+

If the plugin fails to initialize, check the server error log for diagnostic messages.如果插件初始化失败，请检查服务器错误日志中的诊断消息。

To associate MySQL accounts with the Windows authentication plugin, see Using Windows Pluggable Authentication. 要将MySQL帐户与Windows身份验证插件相关联，请参阅使用Windows可插拔身份验证。Additional plugin control is provided by the authentication_windows_use_principal_name and authentication_windows_log_level system variables. 附加插件控制由authentication_windows_use_principal_name和authentication_windows_log_level系统变量提供。See Section 5.1.8, “Server System Variables”.请参阅第5.1.8节，“服务器系统变量”。

The method used to uninstall the Windows authentication plugin depends on how you installed it:卸载Windows身份验证插件的方法取决于您的安装方式：

In addition, remove any startup options that set Windows plugin-related system variables.此外，删除任何设置Windows插件相关系统变量的启动选项。

The Windows authentication plugin supports the use of MySQL accounts such that users who have logged in to Windows can connect to the MySQL server without having to specify an additional password. Windows身份验证插件支持使用MySQL帐户，这样登录到Windows的用户就可以连接到MySQL服务器，而无需指定额外的密码。It is assumed that the server is running with the server-side plugin enabled, as described in Installing Windows Pluggable Authentication. 假设服务器在启用服务器端插件的情况下运行，如安装Windows可插拔身份验证中所述。Once the DBA has enabled the server-side plugin and set up accounts to use it, clients can connect using those accounts with no other setup required on their part.一旦DBA启用了服务器端插件并设置了使用它的帐户，客户端就可以使用这些帐户进行连接，而不需要进行其他设置。

To refer to the Windows authentication plugin in the IDENTIFIED WITH clause of a CREATE USER statement, use the name authentication_windows. 要在CREATE USER语句的IDENTIFIED WITH子句中引用Windows身份验证插件，请使用名称authentication_Windows。Suppose that the Windows users Rafal and Tasha should be permitted to connect to MySQL, as well as any users in the Administrators or Power Users group. 假设应该允许Windows用户Rafal和Tasha以及Administrators或Power Users组中的任何用户连接到MySQL。To set this up, create a MySQL account named sql_admin that uses the Windows plugin for authentication:要设置此设置，请创建一个名为sql_admin的MySQL帐户，该帐户使用Windows插件进行身份验证：

CREATE USER sql_admin
  IDENTIFIED WITH authentication_windows
  AS 'Rafal, Tasha, Administrators, "Power Users"';

The plugin name is authentication_windows. The string following the AS keyword is the authentication string. 插件名称为authentication_windows。AS关键字后面的字符串是身份验证字符串。It specifies that the Windows users named Rafal or Tasha are permitted to authenticate to the server as the MySQL user sql_admin, as are any Windows users in the Administrators or Power Users group. 它指定允许名为Rafal或Tasha的Windows用户以MySQL用户sql_admin的身份向服务器进行身份验证，管理员或高级用户组中的任何Windows用户也是如此。The latter group name contains a space, so it must be quoted with double quote characters.后一个组名包含空格，因此必须用双引号括起来。

After you create the sql_admin account, a user who has logged in to Windows can attempt to connect to the server using that account:创建sql_admin帐户后，登录到Windows的用户可以尝试使用该帐户连接到服务器：

C:\> mysql --user=sql_admin

No password is required here. 此处不需要密码。The authentication_windows plugin uses the Windows security API to check which Windows user is connecting. authentication_windows插件使用windows安全API来检查正在连接的windows用户。If that user is named Rafal or Tasha, or is a member of the Administrators or Power Users group, the server grants access and the client is authenticated as sql_admin and has whatever privileges are granted to the sql_admin account. 如果该用户名为Rafal或Tasha，或者是Administrators或Power Users组的成员，则服务器将授予访问权限，客户端将通过sql_admin身份验证，并具有授予sql_admin帐户的任何权限。Otherwise, the server denies access.否则，服务器将拒绝访问。

Authentication string syntax for the Windows authentication plugin follows these rules:Windows身份验证插件的身份验证字符串语法遵循以下规则：

When invoked by the server to authenticate a client, the plugin scans the authentication string left to right for a user or group match to the Windows user. 当服务器调用插件对客户端进行身份验证时，插件会从左到右扫描身份验证字符串，寻找与Windows用户匹配的用户或组。If there is a match, the plugin returns the corresponding mysql_user_name to the MySQL server. If there is no match, authentication fails.如果匹配，插件会将相应的mysql_user_name返回给mysql服务器。如果不匹配，则身份验证失败。

A user name match takes preference over a group name match. Suppose that the Windows user named win_user is a member of win_group and the authentication string looks like this:用户名匹配优先于组名匹配。假设名为win_user的Windows用户是win_group的成员，身份验证字符串如下：

'win_group = sql_user1, win_user = sql_user2'

When win_user connects to the MySQL server, there is a match both to win_group and to win_user. 当win_user连接到MySQL服务器时，win_group和win_user都匹配。The plugin authenticates the user as sql_user2 because the more-specific user match takes precedence over the group match, even though the group is listed first in the authentication string.该插件将用户身份验证为sql_user2，因为更具体的用户匹配优先于组匹配，即使组在身份验证字符串中列在第一位。

Windows authentication always works for connections from the same computer on which the server is running. For cross-computer connections, both computers must be registered with Windows Active Directory. Windows身份验证始终适用于来自运行服务器的同一台计算机的连接。对于跨计算机连接，两台计算机都必须向Windows 活动目录注册。If they are in the same Windows domain, it is unnecessary to specify a domain name. It is also possible to permit connections from a different domain, as in this example:如果它们在同一个Windows域中，则不需要指定域名。也可以允许来自不同域的连接，如本例所示：

CREATE USER sql_accounting
  IDENTIFIED WITH authentication_windows
  AS 'SomeDomain\\Accounting';

Here SomeDomain is the name of the other domain. The backslash character is doubled because it is the MySQL escape character within strings.这里SomeDomain是另一个域的名称。反斜杠字符被加倍，因为它是字符串中的MySQL转义符。

MySQL supports the concept of proxy users whereby a client can connect and authenticate to the MySQL server using one account but while connected has the privileges of another account (see Section 6.2.18, “Proxy Users”). MySQL支持代理用户的概念，客户端可以使用一个帐户连接并验证MySQL服务器，但在连接时拥有另一个帐户的权限（参阅第6.2.18节，“代理用户”）。Suppose that you want Windows users to connect using a single user name but be mapped based on their Windows user and group names onto specific MySQL accounts as follows:假设您希望Windows用户使用单个用户名连接，但根据他们的Windows用户名和组名映射到特定的MySQL帐户，如下所示：

To set this up, create a proxy account for Windows users to connect to, and configure this account so that users and groups map to the appropriate MySQL accounts (local_wlad, local_dev, local_admin). 要设置此设置，请为Windows用户创建一个代理帐户进行连接，并配置此帐户，以便用户和组映射到相应的MySQL帐户（local_wlad、local_dev、local_admin）。In addition, grant the MySQL accounts the privileges appropriate to the operations they need to perform. 此外，授予MySQL帐户与其需要执行的操作相对应的权限。The following instructions use win_proxy as the proxy account, and local_wlad, local_dev, and local_admin as the proxied accounts.以下说明使用win_proxy作为代理帐户，使用local_wlad、local_dev和local_admin作为代理帐户。

Now the Windows users local_user and MyDomain\domain_user can connect to the MySQL server as win_proxy and when authenticated have the privileges of the account given in the authentication string (in this case, local_wlad). 现在，Windows用户local_user和MyDomain\domain_user可以作为win_proxy连接到MySQL服务器，并且在经过身份验证后具有身份验证字符串中给出的帐户的权限（在本例中为local_wlad）。A user in the MyDomain\Developers group who connects as win_proxy has the privileges of the local_dev account. A user in the BUILTIN\Administrators group has the privileges of the local_admin account.MyDomain\Developers组中以win_proxy身份连接的用户具有local_dev帐户的权限。BUILTIN\Administrators组中的用户具有local_admin帐户的权限。

To configure authentication so that all Windows users who do not have their own MySQL account go through a proxy account, substitute the default proxy account (''@'') for win_proxy in the preceding instructions. 要配置身份验证，以便所有没有自己MySQL帐户的Windows用户都通过代理帐户，请在前面的说明中将win_proxy替换为默认代理帐户（''@''）。For information about default proxy accounts, see Section 6.2.18, “Proxy Users”.有关默认代理帐户的信息，请参阅第6.2.18节，“代理用户”。

To use the Windows authentication plugin with Connector/NET connection strings in Connector/NET 6.4.4 and higher, see Using the Windows Native Authentication Plugin.要在Connector/NET 6.4.4及更高版本中将Windows身份验证插件与Connector/NET连接字符串一起使用，请参阅使用Windows本机身份验证插件。