<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
A [{$pagename}] is a unique identity to which a [KDC] can assign tickets. 

Typically, we can think of three kinds of Principals:
* [Users] or [Clients] or [Client-Principal] (which is Identified by [User Principal Name] [UPN])
* [Service Provider] or [Service-Principal] or [Relying Party] (which is Identified by [Service Principal Name] [SPN])
* Hosts - which is Identified by [Hostnames] (in [Microsoft Windows] [Fully Qualified Domain Name])
Each [Principal] is unique in the [Kerberos Database]. 

[{$pagename}] can have an arbitrary number of components. Each component is separated by a component separator, generally &quot;/&quot;. 

The last component is the [Kerberos Realm], separated from the rest of the principal by the realm separator, generally &quot;@&quot;. If there is no [Kerberos Realm] component in the [principal], then it will be assumed that the [principal] is in the default [realm] for the [context] in which it is being used.

Traditionally, a [{$pagename}] is divided into three parts: 
* the primary
* the instance
* [Kerberos Realm]. 

The format of a typical [Kerberos] V5 principal is:
{{{
 primary/instance@REALM.
}}}

The primary is the first part of the principal. In the case of a [Client-Principal], it is typically the same as your username. For a host, the primary is the word HOST.

The instance is an optional string that qualifies the primary. The instance is separated from the primary by a slash (/). In the case of a user, the instance is usually null, but a [Client-Principal] might also have an additional [UPNs], with an instance called admin, which he/she uses to administrate a database. 

The principal 
{{{ jennifer@ATHENA.MIT.EDU }}} is completely separate from the principal 
{{{ jennifer/admin@ATHENA.MIT.EDU}}} with a separate password, and separate permissions. 

In the case of a host, the instance is the fully qualified hostname, e.g., daffodil.mit.edu.

The realm is your [Kerberos Realm]. In most cases, your Kerberos realm is your domain name, in upper-case letters. For example, the machine daffodil.example.com would be in the realm EXAMPLE.COM.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>