is there a maximum "practical" length of Principal and Realm?

Harald Joerg harald.joerg at
Tue Feb 4 07:41:38 EST 2003

Ie want to teach one of our applications to perform a basic Kerberos
authentication dialogue (receive KRB_AP_REQ, send KRB_AP_REP).

Somewhere in the application we have to check whether a Kerberos user
(principal at realm) is allowed to use the service, and at this place I
would like to restrict the length of the user name to some fixed

Is there any "practical" agreement on how long principal at realm strings
can be? 128 would seem enough even if X.500 realms are involved.  I
have no technical difficulties with setting the limit to 256 or even
1024 bytes, but I'd feel rather foolish if the rest of the world knows
that no kerberos admin ever has created such names....

More information about the Kerberos mailing list