How to disable the subject alternative name for UPN mapping in Windows Server

Applies to: Windows 10, version 1809Windows Server 2019, all versionsWindows Server 2016 More

Summary


User principal uame (UPN) mapping is a special case of one-to-one mapping that is used in Active Directory Domain Services (AD DS). This article introduces the steps to turn off UPN mapping on a domain, and how to use other explicit mapping by disabling the subject alternative name (SAN) through Registry Editor.

More information


Server-side

This setting is typically used when the deployed client certificate contains a SAN extension that has a value that you want to ignore in favor of an explicit mapping. To disable the SAN for UPN mapping, follow these steps:

  1. Open Registry Editor.
  2. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc.
  3. Set the DWORD value of UseSubjectAltName to 00000000.

Note The value of UseSubjectAltName must be set on all key distribution centers (KDC) for the domain.
 

Client-side

The client-side registry setting is required in addition to the KDC setting when the following conditions are true:

  • Certificate mapping (AltSecID) is used.
  • The client certificate contains a UPN in the SAN extension of the certificate.
  • It's not desirable to use domain hints.

On the clients, follow these steps:

  1. Open Registry Editor.
  2. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
  3. Add a DWORD value of UseSubjectAltName, and then set it to 00000000.