1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"> 2<html><head> 3<meta name="GENERATOR" content="Microsoft� HTML Help Workshop 4.1"> 4<link rel="stylesheet" type="text/css" href="Leash.css"> 5<title>Kerberos Terminology</title></head> 6 7<body> 8<h1><a name="top"> Kerberos Terminology</a></h1> 9<p> 10It is helpful to understand three terms when using Kerberos; <a href="#principal"> principals</a>, <a href="#realm"> realms</a>, and <a href="#ticket"> tickets</a>.</p> 11<p> 12<table> 13<tbody><tr> 14<th><a name="principal">Principals</a></th> 15</tr> 16<tr> 17<td> 18 A Kerberos <i>principal</i> is a unique identity that uses 19Kerberos. For users, it is the identity you use to log on to Kerberos. 20Principals are a combination of your user name and the name of the <a href="#realm"> realm</a> (or domain) you belong to, in the form <span class="typed">username@REALM.NAME.</span> For example: <span class="typed">jdoe@SALES.WIDGET.COM.</span> 21Some people will have more than one principal. An administrator might 22have a regular principal and a separate one with administrative rights. 23Or if a particular installation uses multiple realms and requires a 24separate log-on for each one, people with access to multiple realms 25will have a principal for each realm. 26<p></p> 27Because Kerberos provides <em>mutual</em> authentication, the 28network resources that use Kerberos also have unique principals. 29However, you do not need to know a service's principal to access it.<p></p> 30<a href="#top">Back to Top</a> 31</td> 32</tr> 33<tr> 34<th> <a name="realm"> Realms</a> </th> 35</tr> 36<tr> 37<td> 38 Kerberos <i>realms</i> are a way of logically grouping 39resources and identities that use Kerberos. Your realm is the home of 40your Kerberos identity and your point of entry to the network resources 41controlled by Kerberos. In Windows, realms are called <em>domains.</em> 42<p></p> 43When a Kerberos installation is set up, administrators decide how to 44group identities and network resources into realms. For example, some 45installations group all network resources into one realm. Others group 46all identities into one realm that is solely used as an entry point to 47resources grouped in other realms. Depending on your installation and 48your needs, you might have a <a href="#principal"> principal</a> 49(or principals) in only one realm that provides you with all the access 50you need, or you might have different principals for accessing 51different realms. 52<p></p>Realms are usually named after the DNS domain they correspond 53to, but using all upper case letters. For example, Widget Makers 54Incorporated might have a realm named <span type="" typed="">WIDGETMAKERSINC.COM.</span> By definition, each network resource in a Kerberos realm uses the same Kerberos installation for authentication.<p></p> 55 <p></p> 56<a href="#top">Back to Top</a> 57</td> 58</tr> 59 60<tr> 61<th> <a name="ticket">Tickets</a></th> 62</tr> 63<tr> 64<td> 65Kerberos uses the concept of <i>tickets </i> to keep passwords 66from being transmitted in the clear and to provide users the 67convenience of a single log-on to access multiple services and hosts. <p></p> 68Once a you provide a valid principal and password, Kerberos issues you 69a ticket with a limited lifetime. This ticket is an encrypted block of 70data that authenticates you. In most cases the ticket allows you to 71access all of the appropriate network resources in the realm you use, 72for the lifetime of the ticket, without having to take any further 73action. <p></p> 74When you access one of these resources, MIT Kerberos passes your 75initial Ticket Granting Ticket (TGT) to the service. Kerberos verifies 76the ticket and then issues a separate ticket that allows access to that 77service. You don't have to worry about obtaining or managing these new 78service tickets; they are automatically issued. Service tickets can be 79viewed with MIT Kerberos but cannot be directly obtained or destroyed 80through it. 81<p></p> 82Tickets contain two <a href="JavaScript:popup.TextPopup(popupEncryptionKey, popfont,9,9,-1,-1)">encryption keys</a>: 83the ticket key and the session key. The ticket key is shared between 84the Kerberos infrastructure and the service you are using. The session 85key is shared between you and the service, and is used to encrypt and 86decrypt communication with the service. <p></p> 87<a href="#top">Back to Top</a> 88</td> 89</tr> 90</tbody></table> 91</p><h2>Related Help</h2> 92<ul id="helpul"> 93<li><a href="HTML/Kerberos.htm">What is Kerberos?</a></li> 94<li><a href="HTML/How_Kerberos_Works.htm">How does Kerberos work?</a></li> 95<li><a href="HTML/Encryption_Types.htm">Encryption types</a></li> 96</ul> 97 98<script language="JavaScript"> 99popfont="Arial,.725," 100popupEncryptionKey="A value that a specific code or algorithim uses to makes information unreadable to anyone without a matching key." 101</script> 102 103<object id="popup" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"> 104</object> 105</body></html> 106