diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2040bfc3..8accfa8b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,11 +19,16 @@ All notable changes to this project will be documented in this file.
 
 - Default to OCI for image metadata ([#544]).
 
+### Fixed
+
+- Underscores are now allowed in Kerberos principal names ([#563]).
+
 [#528]: https://github.com/stackabletech/secret-operator/pull/528
-[#548]: https://github.com/stackabletech/secret-operator/pull/548
-[#552]: https://github.com/stackabletech/secret-operator/pull/552
 [#544]: https://github.com/stackabletech/secret-operator/pull/544
 [#546]: https://github.com/stackabletech/secret-operator/pull/546
+[#548]: https://github.com/stackabletech/secret-operator/pull/548
+[#552]: https://github.com/stackabletech/secret-operator/pull/552
+[#563]: https://github.com/stackabletech/secret-operator/pull/563
 
 ## [24.11.1] - 2025-01-10
 
diff --git a/rust/operator-binary/src/crd.rs b/rust/operator-binary/src/crd.rs
index 9c8a9120..bb388746 100644
--- a/rust/operator-binary/src/crd.rs
+++ b/rust/operator-binary/src/crd.rs
@@ -328,7 +328,7 @@ pub struct KerberosPrincipal(String);
 #[snafu(module)]
 pub enum InvalidKerberosPrincipal {
     #[snafu(display(
-        "principal contains illegal characters (allowed: alphanumeric, /, @, -, and .)"
+        "principal contains illegal characters (allowed: alphanumeric, /, @, -, _, and .)"
     ))]
     IllegalCharacter,
 
@@ -342,7 +342,12 @@ impl TryFrom<String> for KerberosPrincipal {
         if value.starts_with('-') {
             invalid_kerberos_principal::StartWithDashSnafu.fail()
         } else if value.contains(|chr: char| {
-            !chr.is_alphanumeric() && chr != '/' && chr != '@' && chr != '.' && chr != '-'
+            !chr.is_alphanumeric()
+                && chr != '/'
+                && chr != '@'
+                && chr != '.'
+                && chr != '-'
+                && chr != '_'
         }) {
             invalid_kerberos_principal::IllegalCharacterSnafu.fail()
         } else {