Correct Kerberos principal type for a hostbased service

Question

There are several types of Kerberos principals. A regular user princpal like michael-o@COMPANY.COM would be KRB_NT_PRINCIPAL. But what about a service like HTTP/host.company.com@COMPANY.COM? There are a few possible types like KRB_NT_SRV_{INST|HST|XHST}. What is the correct one?

From my understanding INST is for TGTs only. I would assume that the correct answer should be HST. I wasn't able to find a clue in Oracle's JDK source code but these two contradicting points: 1 vs. 2.

Answer 1

RFC 4120 section 7.5.8 defines the nametypes. In practice most everything uses KRB_NT_SRV_HST. I have never seen KRB_NT_SRV_XHST except in the RFCs and in test code. In general KRB_NT_SRV_INST is used when the second component is not a hostname. Examples include TGTs, or other replicated services where it doesn't matter which host you get. However, name types don't matter that much. Section 6.2 describes this:

As was the case for realm names, conventions are needed to ensure that all agree on what information is implied by a principal name. The name-type field that is part of the principal name indicates the kind of information implied by the name. The name-type SHOULD be treated only as a hint to interpreting the meaning of a name. It is not significant when checking for equivalence. Principal names that differ only in the name-type identify the same principal. The name type does not partition the name space. Ignoring the name type, no two names can be the same (i.e., at least one of the components, or the realm, MUST be different). The following name types are defined: Modern Kerberos implementations do treat KRB_NT_SRV_HST a bit specially. In particular, they are more likely to generate cross-realm referrals based on the hostname in the second component of such a principal. So if the first component identifies a service and the second identifies a host name, SRV_HST is best.

Answer 2

RFC 1510 is a better reference for this. See http://www.rfc-editor.org/rfc/rfc1510.txt section 7.2.1 "The principal identifier for a server on a host will generally be composed of two parts: (1) the realm of the KDC with which the server is registered, and (2) a two-component name of type NT-SRV-HST if the host name is an Internet domain name or a multi-component name of type NT-SRV-XHST if the name of the host is of a form such as X.500 that allows slash (/) separators. The first component of the two- or multi-component name will identify the service and the latter components will identify the host. Where the name of the host is not case sensitive (for example, with Internet domain names) the name of the host must be lower case. For services such as telnet and the Berkeley R commands which run with system privileges, the first component will be the string "host" instead of a service specific identifier. "