diff --git a/kdc/pkinit.c b/kdc/pkinit.c
index 84d3e16f6..db8aa2166 100644
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -1280,8 +1280,9 @@ match_ms_upn_san(krb5_context context,
 {
     hx509_octet_string_list list;
     krb5_principal principal = NULL;
-    char *p;
     int ret, found = 0;
+    MS_UPN_SAN upn;
+    size_t size;
 
     memset(&list, 0 , sizeof(list));
 
@@ -1297,24 +1298,27 @@ match_ms_upn_san(krb5_context context,
 	goto out;
     }
 
-    p = malloc(list.val[0].length + 1);
-    if (p == NULL) {
-	kdc_log(context, config, 0,
-		"More then one PK-INIT MS UPN SAN");
-	return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+    ret = decode_MS_UPN_SAN(list.val[0].data, list.val[0].length, &upn, &size);
+    if (ret) {
+	kdc_log(context, config, 0, "Decode of MS-UPN-SAN failed");
+	goto out;
     }
-    
-    memcpy(p, list.val[0].data, list.val[0].length);
-    p[list.val[0].length] = '\0';
 
-    ret = krb5_parse_name(context, p, &principal);
-    free(p);
+    kdc_log(context, config, 0, "found MS UPN SAN: %s", upn);
 
+    ret = krb5_parse_name(context, upn, &principal);
+    free_MS_UPN_SAN(&upn);
     if (ret) {
 	kdc_log(context, config, 0, "Failed to parse principal in MS UPN SAN");
 	goto out;
     }
 
+    /* 
+     * This is very wrong, but will do for now, should really and a
+     * plugin to the windc layer to very this ACL.
+    */
+    strupr(principal->realm);
+
     if (krb5_principal_compare(context, principal, match) == TRUE)
 	found = 1;