Kerberos Terminology

It is helpful to understand three terms when using Kerberos; principals, realms, and tickets.

Principals
A Kerberos principal is a unique identity that uses Kerberos. For users, it is the identity you use to log on to Kerberos. Principals are a combination of your user name and the name of the realm (or domain) you belong to, in the form username@REALM.NAME. For example: jdoe@SALES.WIDGET.COM. Some people will have more than one principal. An administrator might have a regular principal and a separate one with administrative rights. Or if a particular installation uses multiple realms and requires a separate log-on for each one, people with access to multiple realms will have a principal for each realm.

Because Kerberos provides mutual authentication, the network resources that use Kerberos also have unique principals. However, you do not need to know a service's principal to access it.

Back to Top
Realms
Kerberos realms are a way of logically grouping resources and identities that use Kerberos. Your realm is the home of your Kerberos identity and your point of entry to the network resources controlled by Kerberos. In Windows, realms are called domains.

When a Kerberos installation is set up, administrators decide how to group identities and network resources into realms. For example, some installations group all network resources into one realm. Others group all identities into one realm that is solely used as an entry point to resources grouped in other realms. Depending on your installation and your needs, you might have a principal (or principals) in only one realm that provides you with all the access you need, or you might have different principals for accessing different realms.

Realms are usually named after the DNS domain they correspond to, but using all upper case letters. For example, Widget Makers Incorporated might have a realm named WIDGETMAKERSINC.COM. By definition, each network resource in a Kerberos realm uses the same Kerberos installation for authentication.

Back to Top
Tickets
Kerberos uses the concept of tickets to keep passwords from being transmitted in the clear and to provide users the convenience of a single log-on to access multiple services and hosts.

Once a you provide a valid principal and password, Kerberos issues you a ticket with a limited lifetime. This ticket is an encrypted block of data that authenticates you. In most cases the ticket allows you to access all of the appropriate network resources in the realm you use, for the lifetime of the ticket, without having to take any further action.

When you access one of these resources, MIT Kerberos passes your initial Ticket Granting Ticket (TGT) to the service. Kerberos verifies the ticket and then issues a separate ticket that allows access to that service. You don't have to worry about obtaining or managing these new service tickets; they are automatically issued. Service tickets can be viewed with MIT Kerberos but cannot be directly obtained or destroyed through it.

Tickets contain two encryption keys: the ticket key and the session key. The ticket key is shared between the Kerberos infrastructure and the service you are using. The session key is shared between you and the service, and is used to encrypt and decrypt communication with the service.

Back to Top

Related Help