How to disable the Subject Alternative Name for UPN mapping
Published: March 16, 2010
Updated: May 5, 2010
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
User Principal Name (UPN) mapping is a special case of one-to-one mapping used in Active Directory. In Windows Server® 2008 R2, it is possible to turn off UPN mapping on a domain and use other explicit mapping by disabling the Subject Alternative Name (SAN) through the Registry Editor.
This setting is typically used when the deployed client certificate contains a SAN extension with a value you wish to ignore in favor of an explicit mapping.
Open the Registry Editor
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc.
Change the value of the DWORD UseSubjectAltName to 00000000.
Note The value of UseSubjectAltName needs to be set on all KDCs for the domain.
For a clearer understanding of SAN and UPN mapping:
Refer to Smart card logon flow found in Windows Vista and Windows 7 in the article, Certificate Enumeration on Microsoft TechNet (http://go.microsoft.com/fwlink/?LinkId=186251).
Refer to the Smart card logon flow found in Windows Vista Smart Card Infrastructure on the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkID=111969).