diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 1ffbcc659..933d0d17f 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1053,6 +1053,7 @@ _kdc_as_rep(krb5_context context,
 
 	    ret = _kdc_pk_check_client(context,
 				       config,
+				       clientdb, 
 				       client,
 				       pkp,
 				       &client_cert);
diff --git a/kdc/pkinit.c b/kdc/pkinit.c
index d73224fe5..0d00ef217 100644
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -1615,11 +1615,12 @@ match_ms_upn_san(krb5_context context,
 		 krb5_kdc_configuration *config,
 		 hx509_context hx509ctx,
 		 hx509_cert client_cert,
-		 krb5_const_principal match)
+		 HDB *clientdb,
+		 hdb_entry_ex *client)
 {
     hx509_octet_string_list list;
     krb5_principal principal = NULL;
-    int ret, found = 0;
+    int ret;
     MS_UPN_SAN upn;
     size_t size;
 
@@ -1653,32 +1654,32 @@ match_ms_upn_san(krb5_context context,
 	goto out;
     }
 
-    /*
-     * This is very wrong, but will do for now, should really and a
-     * plugin to the windc layer to very this ACL.
-    */
-    strupr(principal->realm);
-
-    if (krb5_principal_compare(context, principal, match) == TRUE)
-	found = 1;
+    if (clientdb->hdb_check_pkinit_ms_upn_match) {
+	ret = clientdb->hdb_check_pkinit_ms_upn_match(context, clientdb, client, principal);
+    } else {
+	    
+	/*
+	 * This is very wrong, but will do for a fallback
+	 */
+	strupr(principal->realm);
+	    
+	if (krb5_principal_compare(context, principal, client->entry.principal) == FALSE)
+	    ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+    }
 
 out:
     if (principal)
 	krb5_free_principal(context, principal);
     hx509_free_octet_string_list(&list);
-    if (ret)
-	return ret;
 
-    if (!found)
-	return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
-
-    return 0;
+    return ret;
 }
 
 krb5_error_code
 _kdc_pk_check_client(krb5_context context,
 		     krb5_kdc_configuration *config,
-		     const hdb_entry_ex *client,
+		     HDB *clientdb,
+		     hdb_entry_ex *client,
 		     pk_client_params *cp,
 		     char **subject_name)
 {
@@ -1747,7 +1748,8 @@ _kdc_pk_check_client(krb5_context context,
 	ret = match_ms_upn_san(context, config,
 			       kdc_identity->hx509ctx,
 			       cp->cert,
-			       client->entry.principal);
+			       clientdb, 
+			       client);
 	if (ret == 0) {
 	    kdc_log(context, config, 5,
 		    "Found matching MS UPN SAN in certificate");
diff --git a/lib/hdb/hdb.h b/lib/hdb/hdb.h
index f490dbf2f..8eba864fd 100644
--- a/lib/hdb/hdb.h
+++ b/lib/hdb/hdb.h
@@ -220,9 +220,14 @@ typedef struct HDB{
      * Check is delegation is allowed.
      */
     krb5_error_code (*hdb_check_constrained_delegation)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
+
+    /**
+     * Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins
+     */
+    krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
 }HDB;
 
-#define HDB_INTERFACE_VERSION	5
+#define HDB_INTERFACE_VERSION	6
 
 struct hdb_so_method {
     int version;