diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
index bf0a158a159..8454eef32a0 100644
--- a/auth/gensec/gensec_internal.h
+++ b/auth/gensec/gensec_internal.h
@@ -198,6 +198,8 @@ NTSTATUS gensec_child_session_info(struct gensec_security *gensec_security,
 NTTIME gensec_child_expire_time(struct gensec_security *gensec_security);
 const char *gensec_child_final_auth_type(struct gensec_security *gensec_security);
 
+char *gensec_get_unparsed_target_principal(struct gensec_security *gensec_security,
+					   TALLOC_CTX *mem_ctx);
 NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security);
 
 #endif /* __GENSEC_H__ */
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index 611727d2fcd..0c7688d33d2 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -341,6 +341,24 @@ const char *gensec_child_final_auth_type(struct gensec_security *gensec_security
 	return gensec_final_auth_type(gensec_security->child_security);
 }
 
+char *gensec_get_unparsed_target_principal(struct gensec_security *gensec_security,
+					   TALLOC_CTX *mem_ctx)
+{
+	const char *target_principal = gensec_get_target_principal(gensec_security);
+	const char *service = gensec_get_target_service(gensec_security);
+	const char *hostname = gensec_get_target_hostname(gensec_security);
+
+	if (target_principal != NULL) {
+		return talloc_strdup(mem_ctx, target_principal);
+	} else if (service != NULL && hostname != NULL) {
+		return talloc_asprintf(mem_ctx, "%s/%s", service, hostname);
+	} else if (hostname != NULL) {
+		return talloc_strdup(mem_ctx, target_principal);
+	}
+
+	return NULL;
+}
+
 NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security)
 {
 	struct cli_credentials *creds = gensec_get_credentials(gensec_security);