There are several types of Kerberos principals. A regular user princpal like michael-o@COMPANY.COM would be KRB_NT_PRINCIPAL. But what about a service like HTTP/host.company.com@COMPANY.COM? There are a few possible types like KRB_NT_SRV_{INST|HST|XHST}. What is the correct one?
From my understanding INST is for TGTs only.
I would assume that the correct answer should be HST. I wasn't able to find a clue in Oracle's JDK source code but these two contradicting points: 1 vs. 2.
RFC 4120 section 7.5.8 defines the nametypes. In practice most everything uses KRB_NT_SRV_HST. I have never seen KRB_NT_SRV_XHST except in the RFCs and in test code. In general KRB_NT_SRV_INST is used when the second component is not a hostname. Examples include TGTs, or other replicated services where it doesn't matter which host you get. However, name types don't matter that much. Section 6.2 describes this:
As was the case for realm names, conventions are needed to ensure that all agree on what information is implied by a principal name. The name-type field that is part of the principal name indicates the kind of information implied by the name. The name-type SHOULD be treated only as a hint to interpreting the meaning of a name. It is not significant when checking for equivalence. Principal names that differ only in the name-type identify the same principal. The name type does not partition the name space. Ignoring the name type, no two names can be the same (i.e., at least one of the components, or the realm, MUST be different). The following name types are defined: Modern Kerberos implementations do treat KRB_NT_SRV_HST a bit specially. In particular, they are more likely to generate cross-realm referrals based on the hostname in the second component of such a principal. So if the first component identifies a service and the second identifies a host name, SRV_HST is best.