Are port numbers supported in server principal names?

Markus Kuhn Markus.Kuhn at
Tue Mar 27 11:02:14 EDT 2018

Microsoft's ODBC driver for SQLServer appends a port number
after a colon to the domain name in a service principal name,
as in


and even relies on that port number to distinguish different
service instances on the same host:

  "For a TCP/IP connection the SPN is registered in the
   format MSSQLSvc/<FQDN>:<tcpport>. Both named instances
   and the default instance are registered as MSSQLSvc,
   relying on the <tcpport> value to differentiate the instances."

Since Microsoft's ODBC Driver for SQL Server is now also available
for Linux and macOS

people like myself are now commonly using it with MIT's Kerberos
client libraries.

This driver requests tickets for service principal names such as


i.e., with included port number:

I suspect that a lot of the mechanics in the MIT Kerberos
client libraries (e.g., to look up in DNS what
the realm associated with or
is in a cross-realm environment) does not cope with the
presence of the colon and port number in the SPN (NT-SRV-HST).

For example, the above SPN works in kvno (krb5-1.13.2, Ubuntu 16.04)
only after I remove the port number (whereas both SPNs are registered
in our Active Directory KDC):

$ kvno MSSQLSvc/
kvno: Server not found in Kerberos database while getting credentials for MSSQLSvc/

$ kvno MSSQLSvc/
MSSQLSvc/ kvno = 2

I could not find any mention of port numbers on service principal names
in MIT Kerberos related documentation or RFC 4120, but Microsoft seems
to consider this an essential feature, at least in its ODBC driver
for SQLServer.

Is this a known problem?

Is there any chance that MIT Kerberos (implementation and spec)
could be extended in future to allow port numbers after a colon in SPNs?

At first glance, it seems a perfectly useful extension to me.

Best regards,


P.S.: I am aware of the syntactic ambiguity caused by the fact that
colons are already used in numeric IPv6 addresses. One solution for
that may be to follow the syntax proposed in

for numeric IPv6 addresses and port numbers in URLs, namely to
require square brackets around numeric IPv6 addresses in URLs,
which if applied to SPNs would then look like


Markus Kuhn, Computer Laboratory, University of Cambridge || CB3 0FD, Great Britain

More information about the Kerberos mailing list