There are several types of Kerberos principals. A regular user princpal like [email protected]
would be KRB_NT_PRINCIPAL
. But what about a service like HTTP/[email protected]
? There are a few possible types like KRB_NT_SRV_{INST|HST|XHST}
. What is the correct one?
From my understanding INST
is for TGTs only.
I would assume that the correct answer should be HST
. I wasn't able to find a clue in Oracle's JDK source code but these two contradicting points: 1 vs. 2.
RFC 4120 section 7.5.8 defines the nametypes. In practice most everything uses KRB_NT_SRV_HST. I have never seen KRB_NT_SRV_XHST except in the RFCs and in test code. In general KRB_NT_SRV_INST is used when the second component is not a hostname. Examples include TGTs, or other replicated services where it doesn't matter which host you get. However, name types don't matter that much. Section 6.2 describes this: