diff -Nur univention-ad-connector-5.0.6.orig/conffiles/etc/univention/connector/ad/mapping.py univention-ad-connector-5.0.6/conffiles/etc/univention/connector/ad/mapping.py
--- univention-ad-connector-5.0.6.orig/conffiles/etc/univention/connector/ad/mapping.py	2010-08-19 13:43:18.000000000 +0200
+++ univention-ad-connector-5.0.6/conffiles/etc/univention/connector/ad/mapping.py	2010-10-27 08:28:19.000000000 +0200
@@ -98,7 +98,8 @@
 						 univention.connector.set_primary_group_user
 						 ],
 
-			post_con_modify_functions=[ univention.connector.ad.password.password_sync_ucs,
+			post_con_modify_functions=[ univention.connector.ad.set_userPrincipalName_from_ucr,
+						    univention.connector.ad.password.password_sync_ucs,
 						    univention.connector.ad.primary_group_sync_from_ucs,
 						    univention.connector.ad.object_memberships_sync_from_ucs,
 						    univention.connector.ad.disable_user_from_ucs,
diff -Nur univention-ad-connector-5.0.6.orig/debian/univention-ad-connector.univention-config-registry-variables univention-ad-connector-5.0.6/debian/univention-ad-connector.univention-config-registry-variables
--- univention-ad-connector-5.0.6.orig/debian/univention-ad-connector.univention-config-registry-variables	2010-08-19 13:43:10.000000000 +0200
+++ univention-ad-connector-5.0.6/debian/univention-ad-connector.univention-config-registry-variables	2010-10-27 08:38:57.000000000 +0200
@@ -117,3 +117,9 @@
 Description[en]=
 Type=str
 Categories=service-adcon
+
+[con.*/ad/mapping/kerberosdomain]
+Description[de]=Kerberos-Domain für Windows 2008 Accounts (ergibt mit dem UCS-Benutzernamen den AD Kerberos Principal sofern dieser noch nicht gesetzt ist).
+Description[en]=
+Type=str
+Categories=service-adcon
diff -Nur univention-ad-connector-5.0.6.orig/modules/univention/connector/ad/__init__.py univention-ad-connector-5.0.6/modules/univention/connector/ad/__init__.py
--- univention-ad-connector-5.0.6.orig/modules/univention/connector/ad/__init__.py	2010-08-19 13:43:18.000000000 +0200
+++ univention-ad-connector-5.0.6/modules/univention/connector/ad/__init__.py	2010-10-27 09:24:05.000000000 +0200
@@ -71,6 +71,9 @@
 def disable_user_from_ucs(connector, key, object):
 	return connector.disable_user_from_ucs(key, object)
 
+def set_userPrincipalName_from_ucr(connector, key, object):
+	return connector.set_userPrincipalName_from_ucr(key, object)
+
 def disable_user_to_ucs(connector, key, object):
 	return connector.disable_user_to_ucs(key, object)
 
@@ -1429,6 +1432,24 @@
 		else:
 			pass
 			
+	def set_userPrincipalName_from_ucr(self, key, object):
+		object_key = key
+		object_ucs = self._object_mapping(object_key,object)
+		ldap_object_ad = self.get_object(object['dn'])
+
+		ucs_admin_object=univention.admin.objects.get(self.modules[object_key], co='', lo=self.lo, position='', dn=object_ucs['dn'])
+		ucs_admin_object.open()
+
+		if self.baseConfig.has_key('%s/ad/mapping/kerberosdomain' % self.CONFIGBASENAME) and not ldap_object_ad.has_key('userPrincipalName'):
+			principalDomain = self.baseConfig['%s/ad/mapping/kerberosdomain' % self.CONFIGBASENAME]
+			localPart = ucs_admin_object['username']
+			userPrincipalName = "%s@%s" % (localPart, principalDomain)
+			modlist=[(ldap.MOD_REPLACE, 'userPrincipalName', [userPrincipalName])]
+			ud.debug(ud.LDAP, ud.INFO, "set_userPrincipalName_from_ucr: set kerberos principle %s for AD user %s with modlist %s " % 
+				 (userPrincipalName, object['dn'], modlist) )
+			self.lo_ad.lo.modify_s(compatible_modstring(object['dn']), compatible_modlist(modlist))
+
+
 	def disable_user_from_ucs(self, key, object):		
 		object_key = key