How to disable the Subject Alternative Name for UPN mapping

Published: March 16, 2010

Updated: May 5, 2010

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

User Principal Name (UPN) mapping is a special case of one-to-one mapping used in Active Directory. In Windows Server® 2008 R2, it is possible to turn off UPN mapping on a domain and use other explicit mapping by disabling the Subject Alternative Name (SAN) through the Registry Editor.

This setting is typically used when the deployed client certificate contains a SAN extension with a value you wish to ignore in favor of an explicit mapping.

Disabling the SAN for UPN mapping

  1. Open the Registry Editor

  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc.

  3. Change the value of the DWORD UseSubjectAltName to 00000000.

    noteNote
    The value of UseSubjectAltName needs to be set on all KDCs for the domain.

Additional Information

For a clearer understanding of SAN and UPN mapping:

  • Refer to Smart card logon flow found in Windows Vista and Windows 7 in the article, Certificate Enumeration on Microsoft TechNet (http://go.microsoft.com/fwlink/?LinkId=186251).

  • Refer to the Smart card logon flow found in Windows Vista Smart Card Infrastructure on the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkID=111969).

Tags :


Community Content

SpatDSG
Client side settings
<p> <br />In addition, you may need to enable X509user hints - see http://blogs.msdn.com/b/spatdsg/archive/2010/06/14/howto_3a00_-disable-upn-mapping-for-smartcard-logon.aspx<br />for more information end to end.<br /><br />UPDATE 8/2/2010 : Client reg keys may not be needed. KDC and domain hints should suffice<br /><br />KEY = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters<br />Type = DWORD<br />Value Name = UseSubjectAltName <br />Value Data = 0<br /><br /></p>

Page view tracker