Kerberos - Principal (Account)


A Kerberos principal is a unique identity to which Kerberos can assign tickets.

Kerberos defines two different types of accounts (or Principals):

In a Microsoft environment, they would be named:

  • Active Directory users
  • and computers.


Traditionally, a principal is divided into three (components|parts):



  • The primary is for :
    • a user, the same as your username.
    • a service, the name of the service
  • The instance is an optional string that qualifies the primary. The instance is for:
    • a user, usually null (but a user might also have an additional principal, with an instance called admin, which he/she uses to administrate a database. The principal [email protected] is completely separate from the principal jennifer/[email protected], with a separate password, and separate permissions.
    • a host, the instance is the fully qualified hostname, e.g.,
  • The realm is the Kerberos realm. In most cases, your Kerberos realm is your domain name, in upper-case letters. (default to the default realm for the context in which it is being used ie the machine would be in the realm GERARDNICO.COM. )

Principals can have an arbitrary number of (components|parts). Each (components|parts) is separated by a component separator, generally `/'.


  • Concatenation of HTTP/, the user logon name, and the realm (it must be in uppercase)
HTTP/[email protected]

  • host ??
HOST/[email protected]


See KerberosPrincipal

Documentation / Reference

Discover More
Kerberos Ticket Manager Ticket Get
Kerberos - (Ticket|Credentials)

Kerberos credentials, or “tickets” are the credentials in Kerberos. There are only two different types for tickets that the KDC issues. Ticket Granting Ticket (TGT). The first ticket obtained is...
Kerberos - Client

An entity that can obtain a ticket and that is identified by a principal This entity is usually either: a user or a service.
Kerberos - KeyTab (Key Table)

All Kerberos server machines need a keytab file to authenticate to the KDC. A keytab file contains one or more shared secret key. A service will use a keytab file in much the same way as a user uses...
Spn Active Directory
Kerberos - Service principal name

A service principal name is a principal for a service where: The service-class is a string and identifies the general class of service. Computers or machine accounts automatically get an SPN with a...
Kerberos - Ticket Granting Server (TGS)

TGS is a KDC component that issues a service ticket when a principal requests connection to a Kerberos service. You must first have a Ticket Granting Ticket (TGT) for the (Active Directory) domain before...
Kerberos Ticketing Process
Kerberos - Ticketing Process

Kerberos ticketing process between: the the the Under Kerberos, a client sends a request for a ticket to the Key Distribution Center (KDC). The KDC creates a ticket-granting ticket (TGT)...
Upn Active Directory
Kerberos - User Principal Name (UPN)

A principal representing a user. An example of UPN is : The UPN is derived from the combining of the two fields listed for “User logon name”. A User Principal Name must be unique across...
Kerberos - kinit

kinit is an utility that permits to obtain and cache Kerberos ticket-granting tickets. You can then verify that the Kerberos configuration is good and that the authentication is working. kinit...
Kerberos - klist

The klist utility display the entries (tickets,..) in the local credentials cache and key table. With MIT kerberos where: ...
Mit Kerberos Ticket Manager
Kerberos - ticket-granting ticket (TGT)

A ticket-granting ticket (TGT) is the first ticket obtained in a kerberos system. It's a special ticket that permits the client to obtain additional Kerberos tickets within the same Kerberos realm. Under...

Share this page:
Follow us:
Task Runner