xref: /freebsd/crypto/krb5/src/windows/leash/htmlhelp/html/Kerberos_Terminology.htm (revision 7f2fe78b9dd5f51c821d771b63d2e096f6fd49e9)
1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
2<html><head>
3<meta name="GENERATOR" content="Microsoft� HTML Help Workshop 4.1">
4<link rel="stylesheet" type="text/css" href="Leash.css">
5<title>Kerberos Terminology</title></head>
6
7<body>
8<h1><a name="top"> Kerberos Terminology</a></h1>
9<p>
10It is helpful to understand three terms when using Kerberos; <a href="#principal"> principals</a>, <a href="#realm"> realms</a>, and <a href="#ticket"> tickets</a>.</p>
11<p>
12<table>
13<tbody><tr>
14<th><a name="principal">Principals</a></th>
15</tr>
16<tr>
17<td>
18 A Kerberos <i>principal</i> is a unique identity that uses
19Kerberos. For users, it is the identity you use to log on to Kerberos.
20Principals are a combination of your user name and the name of the <a href="#realm"> realm</a> (or domain) you belong to, in the form <span class="typed">username@REALM.NAME.</span> For example: <span class="typed">jdoe@SALES.WIDGET.COM.</span>
21Some people will have more than one principal. An administrator might
22have a regular principal and a separate one with administrative rights.
23Or if a particular installation uses multiple realms and requires a
24separate log-on for each one, people with access to multiple realms
25will have a principal for each realm.
26<p></p>
27Because Kerberos provides <em>mutual</em> authentication, the
28network resources that use Kerberos also have unique principals.
29However, you do not need to know a service's principal to access it.<p></p>
30<a href="#top">Back to Top</a>
31</td>
32</tr>
33<tr>
34<th> <a name="realm"> Realms</a> </th>
35</tr>
36<tr>
37<td>
38 Kerberos <i>realms</i> are a way of logically grouping
39resources and identities that use Kerberos. Your realm is the home of
40your Kerberos identity and your point of entry to the network resources
41controlled by Kerberos. In Windows, realms are called <em>domains.</em>
42<p></p>
43When a Kerberos installation is set up, administrators decide how to
44group identities and network resources into realms. For example, some
45installations group all network resources into one realm. Others group
46all identities into one realm that is solely used as an entry point to
47resources grouped in other realms. Depending on your installation and
48your needs, you might have a <a href="#principal"> principal</a>
49(or principals) in only one realm that provides you with all the access
50you need, or you might have different principals for accessing
51different realms.
52<p></p>Realms are usually named after the DNS domain they correspond
53to, but using all upper case letters. For example, Widget Makers
54Incorporated might have a realm named <span type="" typed="">WIDGETMAKERSINC.COM.</span>  By definition, each network resource in a Kerberos realm uses the same Kerberos installation  for authentication.<p></p>
55  <p></p>
56<a href="#top">Back to Top</a>
57</td>
58</tr>
59
60<tr>
61<th> <a name="ticket">Tickets</a></th>
62</tr>
63<tr>
64<td>
65Kerberos uses the concept of <i>tickets </i> to keep passwords
66from being transmitted in the clear and to provide users the
67convenience of a single log-on to access multiple services and hosts. <p></p>
68Once a you provide a valid principal and password, Kerberos issues you
69a ticket with a limited lifetime. This ticket is an encrypted block of
70data that authenticates you. In most cases the ticket allows you to
71access all of the appropriate network resources in the realm you use,
72for the lifetime of the ticket, without having to take any further
73action. <p></p>
74When you access one of these resources, MIT Kerberos passes your
75initial Ticket Granting Ticket (TGT) to the service. Kerberos verifies
76the ticket and then issues a separate ticket that allows access to that
77service. You don't have to worry about obtaining or managing these new
78service tickets; they are automatically issued. Service tickets can be
79viewed with MIT Kerberos but cannot be directly obtained or destroyed
80through it.
81<p></p>
82Tickets contain two <a href="JavaScript:popup.TextPopup(popupEncryptionKey, popfont,9,9,-1,-1)">encryption keys</a>:
83the ticket key and the session key. The ticket key is shared between
84the Kerberos infrastructure and the service you are using. The session
85key is shared between you and the service, and is used to encrypt and
86decrypt communication with the service. <p></p>
87<a href="#top">Back to Top</a>
88</td>
89</tr>
90</tbody></table>
91</p><h2>Related Help</h2>
92<ul id="helpul">
93<li><a href="HTML/Kerberos.htm">What is Kerberos?</a></li>
94<li><a href="HTML/How_Kerberos_Works.htm">How does Kerberos work?</a></li>
95<li><a href="HTML/Encryption_Types.htm">Encryption types</a></li>
96</ul>
97
98<script language="JavaScript">
99popfont="Arial,.725,"
100popupEncryptionKey="A value that a specific code or algorithim uses to makes information unreadable to anyone without a matching key."
101</script>
102
103<object id="popup" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11">
104</object>
105</body></html>
106