Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All Naming

Kerberos V5 specifies a variety of name types ([RFC4120] section 7.5.8) for specifying the name of the server during a TGS request.

KILE SHOULD use service principal names (SPNs) to identify servers in TGS-REQs. An SPN is a single-string representation of a Kerberos principal name according to [RFC1964] section 2.1.1  that identifies the server. The Directory Service attribute servicePrincipalName, as defined in [MS-ADA3] section 2.252, is a multi-value attribute on a user or computer object that contains a list of service principal names, with each list item corresponding to a string representation of a Kerberos name that can be used to identify the server.

An SPN is a string of the following format. For more information on the <alphanum> element, see [RFC2396] section 1.6.

 SPN = serviceclass "/" hostname [":"port] ["/" servicename]
 serviceclass = alphanum
 servicename = alphanum


  • serviceclass is a string that identifies the class of the service, such as "www" for a Web service or "ldap" for a directory service.

  • hostname ([RFC2396] section 3.2.2) is a string that is the name of the system. This SHOULD be the fully qualified domain name (FQDN).

  • port ([RFC2396] section 3.2.2) is a number that is the port number for the service.

  • The servicename segment is a string that is the distinguished name (DN), objectGuid, Internet host name, or FQDN for the service.

An application can supply a name of the form "RestrictedKrbHost/<hostname>" when its callers have provided the hostname but not the correct SPN for the service. Applications SHOULD NOT use "RestrictedKrbHost/<hostname>" due to the security considerations in section 5.1.2. Applications calling GSS-API directly MUST provide a target name which SHOULD be an SPN <27> for their service applications for Kerberos authentication.

© 2015 Microsoft