Kerberos UserIdentityTokenscan be passed to the Serverusing the IssuedIdentityToken. The body of the token is an XML element that contains the WS-Security token as defined in the Kerberos Token Profile (Kerberos) specification.

Serversthat support Kerberos authentication shall provide a UserTokenPolicywhich specifies what version of the Kerberos Token Profile is being used, the Kerberos Realm and the Kerberos Principal Name for the Server. The Realm and Principal name are combined together with a simple syntax and placed in the issuerEndpointUrias shown in Table 37.

Table 37– Kerberos UserTokenPolicy

Name

Description

tokenType

ISSUEDTOKEN_3

issuedTypeType

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1

issuerEndpointUri

A string with the form \\<realm>\<server principal name> where

<realm> is the Kerberos realm name (e.g. Windows Domain);

<server principal name> is the Kerberos principal name for the OPC UA Server.

The interface between the Clientand Serverapplications and the Kerberos Authentication Service is application specific. The realm is the DomainName when using a Windows Domain controller as the Kerberos provider.