diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c
index 0d1a80050a3..a03b03d1034 100644
--- a/source4/dsdb/samdb/cracknames.c
+++ b/source4/dsdb/samdb/cracknames.c
@@ -680,8 +680,18 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
 
 		domain_filter = NULL;
 
-		/* By getting the unparsed name here, we ensure the escaping is correct (and trust the client less) */
-		ret = krb5_unparse_name(smb_krb5_context->krb5_context, principal, &unparsed_name);
+		/*
+		 * By getting the unparsed name here, we ensure the
+		 * escaping is removed correctly (and trust the client
+		 * less).  The important thing here is that a
+		 * userPrincipalName may have a space in it, and this
+		 * must not be kerberos escaped to match this filter,
+		 * so we specify KRB5_PRINCIPAL_UNPARSE_DISPLAY
+		 */
+		ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context,
+					      principal,
+					      KRB5_PRINCIPAL_UNPARSE_DISPLAY,
+					      &unparsed_name);
 		if (ret) {
 			krb5_free_principal(smb_krb5_context->krb5_context, principal);
 			return WERR_NOMEM;