About

A Kerberos principal is a unique identity to which Kerberos can assign tickets.

Kerberos defines two different types of accounts (or Principals):

• User Principal Name (UPN),
• and Service Principal Name (SPN).

In a Microsoft environment, they would be named:

• Active Directory users
• and computers.

Articles Related

Syntax

Traditionally, a principal is divided into three (components|parts):

primary[/instance][@REALM]

where:

• The primary is for :
  • a user, the same as your username.
  • a service, the name of the service
• The instance is an optional string that qualifies the primary. The instance is for:
  • a user, usually null (but a user might also have an additional principal, with an instance called admin, which he/she uses to administrate a database. The principal [email protected] is completely separate from the principal jennifer/[email protected], with a separate password, and separate permissions.
  • a host, the instance is the fully qualified hostname, e.g., daffodil.mit.edu
• The realm is the Kerberos realm. In most cases, your Kerberos realm is your domain name, in upper-case letters. (default to the default realm for the context in which it is being used ie the machine nico.gerardnico.com would be in the realm GERARDNICO.COM. )

Example

• Concatenation of HTTP/, the user logon name, and the realm (it must be in uppercase)

HTTP/[email protected]

• host ??

HOST/[email protected]

Type

• KRB_NT_PRINCIPAL: a user principal name type.
• KRB_NT_SRV_HST: a service with host name as instance (telnet, rcommands) name type.
• KRB_NT_SRV_INST: a service and other unique instance (Kerberos - ticket-granting ticket (TGT)) name type.
• KRB_NT_SRV_XHST: a service with host as remaining components name type.
• KRB_NT_UID: a unique ID name type.
• KRB_NT_UNKNOWN: unknown name type.

See KerberosPrincipal

Documentation / Reference

• What is a Kerberos Principal?