Kerberos Principals

Contents

Overview

A Kerberos Principal represents a unique identity in a Kerberos system to which Kerberos can assign tickets to access Kerberos-aware services. Principal names are made up of several components separated by the "/" separator. You can also specify a realm as the last component of the name by using the "@" character. If no realm is given, the Principal is assumed to belong to the default realm, as configured in the krb5.conf file.

Typically a Principal name comprises 3 parts: the primary, the instance, and the realm. The format of a typical Kerberos v5 Principal name is:
primary/instance@realm

  • Primary:
    If the Principal represents a user in the system, the primary is the username of the user. Alternatively, for a host, the primary is specified as the string, "host".
  • Instance:
    The instance can be used to further qualify the primary, for example, user/admin@foo.abc.com.
  • Realm:
    This is your Kerberos realm, which is usually a domain name in upper case letters. For example, the machine foo.abc.com is in the ABC.COM Kerberos realm.

Configuration

You can configure Kerberos Principals globally on the External Connections tab in the Policy Studio. To configure a Kerberos Principal, right-click the Kerberos Principals node, and select the Add a Kerberos Principal option from the context menu. Complete the following fields on the Kerberos Principal dialog:

Name:
Enter a friendly name for the Kerberos Principal. This name will be available for selection from dropdowns in other Kerberos-related configuration screens in the Policy Studio.

Principal Name:
Enter the name of the Kerberos Principal in this field. The Principal name consists of a number of components separated using the "/" separator. The realm should be specified here if the Principal belongs to either a non-default realm or if a default realm is not specified.

Principal Type:
Select the type of Principal specified in the field above. The following table lists the available Principal Types. It is important to note that the Principal Name Types and their corresponding OIDs are defined in the GSS (General Security Services) API.

Principal Name Type Explanation OID
NT_USER_NAME The Principal name identifies a named user on the local system 1.2.840.113554.1.2.1.1
KERBEROS_V5_PRINCIPAL_NAME The Principal name represents a Kerberos version 5 Principal. 1.2.840.113554.1.2.2.1
NT_EXPORT_NAME The Principal name represents an exported canonical byte representation of the name, which can be used when searching for the Principal in an ACL (Access Control List), for example. 1.3.6.1.5.6.4
NT_HOSTBASED_SERVICE The Principal name identifies a service associated with a specific host. 1.3.6.1.5.6.2

It is possible to add new Principal Types by clicking on the Add button. The name entered in the Name field on the Kerberos Principal Name OID must correspond to one of the constant fields defined in the org.ietf.jgss.GSSName Java class. Please refer to the Javadocs for the GSSName class for other allowable name types. Similarly, the corresponding OID for this name type must be entered in the OID field of the dialog. Please consult the GSSName Javadoc here for more information.

Important Note:
It is important to note that OIDs and Principal Type Names should only be changed to reflect changes in the underlying GSS API. Because of this, you should only choose to Edit existing Principal Types under strict supervision from the Oracle support team.