Kerberos - Principal (Account)


A Kerberos principal is a unique identity to which Kerberos can assign tickets.

Kerberos defines two different types of accounts (or Principals):

In a Microsoft environment, they would be named:

  • Active Directory users
  • and computers.


Traditionally, a principal is divided into three (components|parts):



  • The primary is for :
    • a user, the same as your username.
    • a service, the name of the service
  • The instance is an optional string that qualifies the primary. The instance is for:
    • a user, usually null (but a user might also have an additional principal, with an instance called admin, which he/she uses to administrate a database. The principal [email protected] is completely separate from the principal jennifer/[email protected], with a separate password, and separate permissions.
    • a host, the instance is the fully qualified hostname, e.g.,
  • The realm is the Kerberos realm. In most cases, your Kerberos realm is your domain name, in upper-case letters. (default to the default realm for the context in which it is being used ie the machine would be in the realm GERARDNICO.COM. )

Principals can have an arbitrary number of (components|parts). Each (components|parts) is separated by a component separator, generally `/'.


  • Concatenation of HTTP/, the user logon name, and the realm (it must be in uppercase)
HTTP/[email protected]
  • host ??
HOST/[email protected]


See KerberosPrincipal

Documentation / Reference

Powered by ComboStrap