Connector Guides › Connectors Guide › Connecting to Endpoints › Kerberos Connector › Kerberos Connector Limitations › Naming Limitations › Principal Naming Limitations

Principal Naming Limitations

• The double quote character (“) is used by kadmin only as a quoting character. kadmin does not accept this character as part of a principal name. As a result, the connector will reject principal names containing this character.
• The @ character delimits principal names from realm names, and as such cannot be part of a principal or realm name.

  The connector and kadmin will accept an account name in the form name@realm, but if realm is not the same as the realm specified by the endpoint, kadmin will treat this as a cross-realm principal. As a result, even though an entry for this principal will be included in the Kerberos database, unless you configure cross-realm authentication properly, this principal may not be able to authenticate to any KDC. If an account name with more than one @ character is used, kadmin will display a Malformed name error.

• The backslash character (\) is not properly supported. There are cases where, in a sequence of one or more backslash characters, one character may be dropped depending on the character immediately succeeding the backslash. The connector will not prevent the creation of principal names with backslash characters, but we recommend that you use the backslash character with caution.
• The hash (#) character can be used to start a principal name in kadmin. However, due to DN syntax limitations, the hash at the beginning of a principal name will be escaped with a backslash character (\). Within The Provisioning Manager, this escape character will always be present, but in the Kerberos system, the principal name will not have the escape character.