Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

How to disable the Subject Alternative Name for UPN mapping

Published: March 16, 2010

Updated: May 5, 2010

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

User Principal Name (UPN) mapping is a special case of one-to-one mapping used in Active Directory. In Windows Server® 2008 R2, it is possible to turn off UPN mapping on a domain and use other explicit mapping by disabling the Subject Alternative Name (SAN) through the Registry Editor.

This setting is typically used when the deployed client certificate contains a SAN extension with a value you wish to ignore in favor of an explicit mapping.

  1. Open the Registry Editor

  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc.

  3. Change the value of the DWORD UseSubjectAltName to 00000000.

    The value of UseSubjectAltName needs to be set on all KDCs for the domain.

For a clearer understanding of SAN and UPN mapping:

  • Refer to Smart card logon flow found in Windows Vista and Windows 7 in the article, Certificate Enumeration on Microsoft TechNet (http://go.microsoft.com/fwlink/?LinkId=186251).

  • Refer to the Smart card logon flow found in Windows Vista Smart Card Infrastructure on the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkID=111969).

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2015 Microsoft