In Kerberos 4, a principal was divided into three parts:

  1. The principal name
  2. An optional instance
  3. The Kerberos realm

Kerberos 4 principals are written in the following format:

name.instance@realm

Kerberos 5 principals are written in a slightly different format:

component/component/component@realm

The terms "name" and "instance" are still used for the first and the second
components respectively.

Note that in both Kerberos 4 and Kerberos 5, the way that principals are
encoded into strings have nothing to do with the way they are stored
internally in Kerberos.

There is an established convention as to how principals are named.
Generally, you will encounter three different types of principals.

  1. A principal without an instance. This is used for users, with the
     username being used as the principal name. Some examples:

     kenh@CMF.NRL.NAVY.MIL
     tytso@ATHENA.MIT.EDU

  2. A principal with a hostname for an instance. This is used to
     distinguish between the same service on different machines. Some
     examples:

     host/foo.bar.org@BAR.ORG
     ftp/blah.bar.org@BAR.ORG

  3. A principal with a unique instance that is not a hostname. For these
     principals the instance has other significance.

     krbtgt/BAR.ORG@BAR.ORG
     krbtgt/FOO.ORG@BAR.ORG

While the specification for Kerberos 5 allows more than two components, in
practice this is not used.

The two most important differences between Kerberos 4 principals and
Kerberos 5 principals are:

  1. The instance separator in Kerberos 4 is a period (.) where in Kerberos
     5 the instance separator is a forward slash (/).
  2. In principals where the hostname is used as the instance, the "short"
     hostname (without a domain name) is used as the instance for Kerberos
     4. In Kerberos 5, the fully qualified domain name is used as the
     instance.