Kerberos Glossary

AS

Authentication Service. See The Authentication Server for more details.

Host Principal

The hostname on which the service principal is hosted.

KDC

Key Distribution Centre. See The Key Distribution Centre for more details. In the Windows world, this would be the Windows Domain controller.

Keytab

The keytab (short for “key table”) stores the long-term keys for one or more principals. See Keytab for more details.

Principal

Any entity within a Kerberos installation, including users, computers or services provided by servers has a principal associated with it. Each principal is associated with a long-term key, which can be a password or passphrase. Principals are globally unique names managed in a hierarchical structure.

Realms

Each Kerberos installation defines an administrative realm of control that is distinct from other Kerberos instalations. By convention, the Kerberos realm for a given DNS domain is the domain converted to uppercase. In the Windows world, it would be the Windows Domain.

Service Principal

The server / service identifies and authenticates itself in a Realm with the KDC and other systems just like a user. This user / principal is known as the Service Principal. Services that user Kerberos are said to be Kerberized. To authenticate as this user, the service uses a Keytab file.

SPN

There may be multiple Service Principal Names associated with a :term:Service Principal:, much like aliases. There may be an SPN for both the short and long names of a host. In a cluster, it may contain the list of nodes in a load balanced cluster.

TGS

Ticket Granting Server. See The Ticket Granting Server for more details.

TGT

Ticket Grant Ticket. See The Authentication Server for more details.