6. Naming Constraints

Overview

This section specifies the naming conventions and constraints for Kerberos realms and principals. Proper naming is essential for interoperability and security.

6.1. Realm Names

Realm names identify Kerberos administrative domains.

Conventions

Typically uppercase domain-style names
Often based on DNS domain names
Hierarchical structure supported
Example: EXAMPLE.COM

Requirements

Case-sensitive comparisons
Should not contain whitespace
Should use domain-style hierarchy when appropriate

6.2. Principal Names

Principal names identify entities (users, services) in Kerberos.

Structure

Name type identifies interpretation
Sequence of name components
Realm identifies administrative domain
Format: name/instance@REALM

Name Types

NT-PRINCIPAL - General principal name
NT-SRV-INST - Service with instance
NT-SRV-HST - Service with hostname
NT-UID - Unique ID
And others

6.2.1. Name of Server Principals

Service principals follow special conventions:

Format: service/hostname@REALM
Service identifies the service type (http, host, etc.)
Hostname should be fully qualified
Case preservation and canonicalization considerations

Security Considerations

Proper name canonicalization prevents impersonation
Realm trust relationships must be carefully managed
Service names should follow consistent conventions
Avoid relying on insecure name resolution

Reference

For complete naming specifications, refer to RFC 4120 Section 6.

Overview​

6.1. Realm Names​

Conventions​

Requirements​

6.2. Principal Names​

Structure​

Name Types​

6.2.1. Name of Server Principals​

Security Considerations​

Reference​