3.1.5.11 Naming

Kerberos V5 specifies a variety of name types ([RFC4120] section 7.5.8) for specifying the name of the server during a TGS request.

KILE uses service principal names (SPNs) to identify servers in TGS-REQs. An SPN is a single-string representation of a Kerberos principal name as defined in [RFC1964] section 2.1.1, that identifies the server. The Directory Service attribute servicePrincipalName, as defined in [MS-ADA3] section 2.252, is a multi-value attribute on a user or computer object that contains a list of SPNs, with each list item corresponding to a string representation of a Kerberos name that can be used to identify the server.

An SPN is a string of the following format.

SPN = serviceclass "/" hostname [":"port] ["/" servicename]

 serviceclass = alphanum
 servicename = alphanum

Where:

• serviceclass is a string that identifies the class of the service, such as "www" for a Web service or "ldap" for a directory service.

• hostname ([RFC2396] section 3.2.2) is a string that is the fully qualified domain name (FQDN) of the system.

• port ([RFC2396] section 3.2.2) is a number that is the port number for the service.

• The servicename segment is a string that is the distinguished name (DN), objectGUID, Internet host name, or FQDN for the service.

Note: <alphanum> element is defined in [RFC2396] section 1.6.

An application can supply a name of the form "RestrictedKrbHost/<hostname>" when its callers have provided the hostname but not the correct SPN for the service. Applications MAY<30> use "RestrictedKrbHost/<hostname>" with awareness of the security considerations described in section 5.1.2. Applications calling GSS-API directly MUST provide a target name that is an SPN for their service applications for Kerberos authentication.