diff --git a/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py b/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py
index 1f43c088bc..d5269a4d46 100644
--- a/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py
+++ b/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py
@@ -732,6 +732,12 @@ property_descriptions = {
 		multivalue=True,
 		copyable=True,
 	),
+	'kerberosPrinciple': univention.admin.property(
+		short_description=_('Kerberos principal'),
+		long_description=_('FIXME'),
+		syntax=univention.admin.syntax.string,
+		copyable=True,
+	),
 }
 
 default_property_descriptions = copy.deepcopy(property_descriptions)  # for later reset of descriptions
@@ -1187,6 +1193,11 @@ def unmapWindowsFiletime(old):
 	return ''
 
 
+def unmapKerberosPrincipalName(old):
+	if old and old[0]:
+		return old[0].rsplit('@', 1)[0]
+
+
 mapping = univention.admin.mapping.mapping()
 mapping.register('username', 'uid', None, univention.admin.mapping.ListToString)
 mapping.register('uidNumber', 'uidNumber', None, univention.admin.mapping.ListToString)
@@ -1239,6 +1250,7 @@ mapping.register('userCertificate', 'userCertificate;binary', univention.admin.m
 mapping.register('jpegPhoto', 'jpegPhoto', univention.admin.mapping.mapBase64, univention.admin.mapping.unmapBase64)
 mapping.register('umcProperty', 'univentionUMCProperty', mapKeyAndValue, unmapKeyAndValue)
 mapping.register('lockedTime', 'sambaBadPasswordTime', mapWindowsFiletime, unmapWindowsFiletime)
+mapping.register('kerberosPrinciple', 'krb5PrincipalName', univention.admin.mapping.dontMap(), unmapKerberosPrincipalName)
 
 mapping.registerUnmapping('sambaRID', unmapSambaRid)
 mapping.registerUnmapping('passwordexpiry', unmapPasswordExpiry)
@@ -1596,7 +1608,7 @@ class object(univention.admin.handlers.simpleLdap):
 		realm = domain.getKerberosRealm()
 		if not realm:
 			raise univention.admin.uexceptions.noKerberosRealm()
-		return self['username'] + '@' + realm
+		return self.get('kerberosPrinciple', self['username']) + '@' + realm
 
 	def _check_uid_gid_uniqueness(self):
 		if not configRegistry.is_true("directory/manager/uid_gid/uniqueness", True):
@@ -1787,7 +1799,7 @@ class object(univention.admin.handlers.simpleLdap):
 		return ml
 
 	def _modlist_krb_principal(self, ml):
-		if not self.exists() or self.hasChanged('username'):
+		if not self.exists() or self.hasChanged(['username', 'kerberosPrinciple']):
 			ml.append(('krb5PrincipalName', self.oldattr.get('krb5PrincipalName', []), [self.krb5_principal()]))
 		return ml