Kerberos UserIdentityTokens can be passed to the Server using the IssuedIdentityToken. The body of the token is an XML element that contains the WS-Security token as defined in the Kerberos Token Profile (Kerberos) specification.

Servers that support Kerberos authentication shall provide a UserTokenPolicy which specifies what version of the Kerberos Token Profile is being used, the Kerberos Realm and the Kerberos Principal Name for the Server. The Realm and Principal name are combined together with a simple syntax and placed in the issuerEndpointUri as shown in Table 37.

Table 37 – Kerberos UserTokenPolicy







A string with the form \\<realm>\<server principal name> where

<realm> is the Kerberos realm name (e.g. Windows Domain);

<server principal name> is the Kerberos principal name for the OPC UA Server.

The interface between the Client and Server applications and the Kerberos Authentication Service is application specific. The realm is the DomainName when using a Windows Domain controller as the Kerberos provider.