Kerberos Glossary
- AS
Authentication Service. See The Authentication Server for more details.
- Host Principal
The hostname on which the service principal is hosted.
- KDC
Key Distribution Centre. See The Key Distribution Centre for more details. In the Windows world, this would be the Windows Domain controller.
- Keytab
The keytab (short for “key table”) stores the long-term keys for one or more principals. See Keytab for more details.
- Principal
Any entity within a Kerberos installation, including users, computers or services provided by servers has a principal associated with it. Each principal is associated with a long-term key, which can be a password or passphrase. Principals are globally unique names managed in a hierarchical structure.
- Realms
Each Kerberos installation defines an administrative realm of control that is distinct from other Kerberos instalations. By convention, the Kerberos realm for a given DNS domain is the domain converted to uppercase. In the Windows world, it would be the Windows Domain.
- Service Principal
The server / service identifies and authenticates itself in a Realm with the KDC and other systems just like a user. This user / principal is known as the Service Principal. Services that user Kerberos are said to be Kerberized. To authenticate as this user, the service uses a Keytab file.
- SPN
There may be multiple Service Principal Names associated with a :term:Service Principal:, much like aliases. There may be an SPN for both the short and long names of a host. In a cluster, it may contain the list of nodes in a load balanced cluster.
- TGS
Ticket Granting Server. See The Ticket Granting Server for more details.
- TGT
Ticket Grant Ticket. See The Authentication Server for more details.