Overview#A Client-Principal is out term for a User that is requesting a Service from a Service Provider.
A Principal can be the name of a service (which runs on a host which we will call a Service-Principal or a user (which we will call a User-Principal) and forms an index to the information stored about the entity in the Kerberos security database (in the Key Distribution Center or KDC).
The format of the Principal differs for users and services.
The User-Principal name is the rough equivalent of a username or an account name and has the format principal-name/instance-name@REALM (where /instance-name is optional).
For example if the Principal name is Alice and the Realm is joe then the full Principal would be alice@joe.
The instance-name extension seems to be used primarily in conjunction with administrator accounts, thus if Alice were an administrator for the joe Realm her principal name would be alice/admin@joe.
When used to describe a Service-Principal the form becomes service-name/QDN@REALM, where QDN is the full domain name of the host (without the trailing dot demanded by an FQDN) on which the service runs and service-name is an application specific string which identifies the service on the host. Thus a service-name of ftp running on a host with a name fileserver.example.com in the Realm example.com would have a Service-Principal name of firstname.lastname@example.org.