3.1.5.11 Naming

Kerberos V5 specifies a variety of name types ([RFC4120] section 7.5.8) for specifying the name of the server during a TGS request.

KILE SHOULD use service principal names (SPNs) to identify servers in TGS-REQs. An SPN is a single-string representation of a Kerberos principal name according to [RFC1964] section 2.1.1  that identifies the server. The Directory Service attribute servicePrincipalName, as defined in [MS-ADA3] section 2.252, is a multi-value attribute on a user or computer object that contains a list of service principal names, with each list item corresponding to a string representation of a Kerberos name that can be used to identify the server.

An SPN is a string of the following format. For more information on the <alphanum> element, see [RFC2396] section 1.6.

 SPN = serviceclass "/" hostname [":"port] ["/" servicename]
 serviceclass = alphanum
 servicename = alphanum

Where:

An application can supply a name of the form "RestrictedKrbHost/<hostname>" when its callers have provided the hostname but not the correct SPN for the service. Applications SHOULD NOT use "RestrictedKrbHost/<hostname>" due to the security considerations in section 5.1.2. Applications calling GSS-API directly MUST provide a target name which SHOULD be an SPN <27> for their service applications for Kerberos authentication.

Show: