Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to disable the subject alternative name for UPN mapping in Windows Server

View products that this article applies to.


User principal uame (UPN) mapping is a special case of one-to-one mapping that is used in Active Directory Domain Services (AD DS). This article introduces the steps to turn off UPN mapping on a domain, and how to use other explicit mapping by disabling the subject alternative name (SAN) through Registry Editor.

↑ Back to the top

More information


This setting is typically used when the deployed client certificate contains a SAN extension that has a value that you want to ignore in favor of an explicit mapping. To disable the SAN for UPN mapping, follow these steps:

  1. Open Registry Editor.
  2. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc.
  3. Set the DWORD value of UseSubjectAltName to 00000000.

Note The value of UseSubjectAltName must be set on all key distribution centers (KDC) for the domain.


The client-side registry setting is required in addition to the KDC setting when the following conditions are true:

  • Certificate mapping (AltSecID) is used.
  • The client certificate contains a UPN in the SAN extension of the certificate.
  • It's not desirable to use domain hints.

On the clients, follow these steps:

  1. Open Registry Editor.
  2. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
  3. Add a DWORD value of UseSubjectAltName, and then set it to 00000000.

↑ Back to the top

Keywords: kbhowto, disable UPN mapping, how to disable the subject alternative name for upn mapping, kb, kbsurveynew

↑ Back to the top

Article Info
Article ID : 4043463
Revision : 7
Created on : 9/30/2018
Published on : 10/2/2018
Exists online : False
Views : 946