diff --git a/apps/emqx_auth_kerberos/src/emqx_authn_kerberos.erl b/apps/emqx_auth_kerberos/src/emqx_authn_kerberos.erl
index db2957783..a0a2d81f8 100644
--- a/apps/emqx_auth_kerberos/src/emqx_authn_kerberos.erl
+++ b/apps/emqx_auth_kerberos/src/emqx_authn_kerberos.erl
@@ -66,8 +66,16 @@ authenticate(_Credential, _State) ->
 %% Internal functions
 %%------------------------------------------------------------------------------
 
+%% @private Parse server principal to get server FQDN.
+%% The principal format is validated by config schema, so it can be assertive here.
+get_server_fqdn(Principal) ->
+    Pattern = "^([a-zA-Z0-9._-]+)/([a-zA-Z0-9.-]+)@",
+    {match, [_, FQDN]} = re:run(Principal, Pattern, [{capture, all_but_first, binary}]),
+    FQDN.
+
 auth_new(Principal) ->
-    case sasl_auth:server_new(<<"emqx">>, Principal) of
+    ServerFQDN = get_server_fqdn(Principal),
+    case sasl_auth:server_new(<<"emqx">>, Principal, ServerFQDN) of
         {ok, SaslConn} ->
             {ok, SaslConn};
         Error ->
diff --git a/apps/emqx_auth_kerberos/src/emqx_authn_kerberos_schema.erl b/apps/emqx_auth_kerberos/src/emqx_authn_kerberos_schema.erl
index 1177023ec..444340401 100644
--- a/apps/emqx_auth_kerberos/src/emqx_authn_kerberos_schema.erl
+++ b/apps/emqx_auth_kerberos/src/emqx_authn_kerberos_schema.erl
@@ -42,12 +42,8 @@ fields(kerberos) ->
             {principal,
                 ?HOCON(binary(), #{
                     required => true,
-                    desc => ?DESC(principal)
-                })},
-            {server_fqdn,
-                ?HOCON(binary(), #{
-                    required => true,
-                    desc => ?DESC(server_fqdn)
+                    desc => ?DESC(principal),
+                    validator => fun validate_principal/1
                 })},
             {keytab_file,
                 ?HOCON(binary(), #{
@@ -62,3 +58,10 @@ desc(kerberos) ->
     "Settings for Kerberos authentication.";
 desc(_) ->
     undefined.
+
+validate_principal(S) ->
+    P = <<"^([a-zA-Z0-9\\._-]+)/([a-zA-Z0-9\\.-]+)(?:@([A-Z0-9\\.-]+))?$">>,
+    case re:run(S, P) of
+        nomatch -> {error, invalid_server_principal_string};
+        {match, _} -> ok
+    end.
diff --git a/rel/i18n/emqx_authn_kerberos_schema.hocon b/rel/i18n/emqx_authn_kerberos_schema.hocon
index 5b62b8b0c..e5be35f13 100644
--- a/rel/i18n/emqx_authn_kerberos_schema.hocon
+++ b/rel/i18n/emqx_authn_kerberos_schema.hocon
@@ -8,19 +8,6 @@ principal {
         NOTE: The realm in use has to be configured in /etc/krb5.conf in EMQX nodes.~"""
 }
 
-server_fqdn {
-    label: "Server FQDN"
-    desc: """~
-        This is typically the network access point of the service, such as the DNS record of the load balancer endpoint.
-        However, it is not strictly necessary for it to be an accessible network address.
-        Important considerations include:
-
-        - It must match the FQDN used in the server's Kerberos principal, e.g., `mqtt/${SERVER_FQDN}@EXAMPLE.COM`.
-        - The client must use this exact value to request authentication services.
-
-        This ensures that the client and server agree on the identity being authenticated.~"""
-}
-
 keytab_file {
     label: "Keytab File"
     desc: """~