How to disable the subject alternative name for UPN mapping in Windows Server

User principal uame (UPN) mapping is a special case of one-to-one mapping that is used in Active Directory Domain Services (AD DS). This article introduces the steps to turn off UPN mapping on a domain, and how to use other explicit mapping by disabling the subject alternative name (SAN) through Registry Editor.

Server-side

This setting is typically used when the deployed client certificate contains a SAN extension that has a value that you want to ignore in favor of an explicit mapping. To disable the SAN for UPN mapping, follow these steps:

1. Open Registry Editor.
2. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc.
3. Set the DWORD value of UseSubjectAltName to 00000000.

Note The value of UseSubjectAltName must be set on all key distribution centers (KDC) for the domain.
 

Client-side

The client-side registry setting is required in addition to the KDC setting when the following conditions are true:

• Certificate mapping (AltSecID) is used.
• The client certificate contains a UPN in the SAN extension of the certificate.
• It's not desirable to use domain hints.

On the clients, follow these steps:

1. Open Registry Editor.
2. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
3. Add a DWORD value of UseSubjectAltName, and then set it to 00000000.