Why is service principals needed for an application to secure itself and to authenticate others?

Question

Currently I am configuring Hadoop to use MIT kerberos to secure its access. As part of it, we had to create few service principals dedicated to each service with the host name.

But, I don't understand the use of service principal. Why/How does an application server needs it to authenticate other users service tickets?

I couldn't get the procedure/steps that an application server follows to authenticate the users who are trying to use it.

I followed the below blog to understand the sequence of steps taken to generate service tickets. But, it didn't explain how the application server is using service ticket to identify the user. Can anyone please explain that step.

http://www.markwilson.co.uk/blog/2005/06/kerberos-authentication-explained.htm

Answer 1

Why does an application server needs service principals to authenticate other users service tickets?

Service principle is an abstraction which represents application server in a kerberos realm. Service principle just like user principle has a password. One copy of this password stored in the KDC and another on host with application server in a special file, called keytab. So, ticket for a particular application server is encrypted by KDC with corresponding password and can be decrypted only by application server.

what steps an application server follows to authenticate the users who are trying to use it?

Application server gets service ticket from user and decrypts it with it's own copy of service principle password. Than it gets raw content of the service ticket.

how the application server is using service ticket to identify the user?

Raw content of service ticket contains username, that's all.