@Josh Nicholson When using the kerberos-provider via the login-identity-providers.xml file. The user's full kerberos principal is going to be used every time. You can ignore the "default realm" property in the kerberos-provider provider (NiFi's code does not actually use it right now --> https://jira.apache.org/jira/browse/NIFI-6224 ) So when a user enters a username that does not include the "@<realm>" portion, the default realm as configured in the krb5.conf file configured in the nifi.properties file is used. That full DN is then passed through your configured identity.mapping.patterns. This means you need to have a pattern that matches on: ^(.*?)@(.*?)$ And a resulting value of: $1 so that only the username portion is then passed on to your configured authorizer. In the case of some user coming in with just username and other with full principal names... Those user coming in with just usernames must not being authenticated using the login provider. Even with a login provider configured the default TLS/SSL authentication is attempted first. So if these users have a trusted client certificate loaded in their browser it will be presented for authentication to your NiFi and those user will never see the login window. From a user certificate the full DN will be used to identify the user. That full DN is likely matching on your existing mapping pattern resulting in just the username you are seeing. So it is important that you not remove this existing mapping pattern, but instead add a second. nifi.security.identity.mapping.pattern.<any string> nifi.security.identity.mapping.value.<any string> Patterns are searched in a alpha-numeric order. First matching regex will be applied. Thank you, Matt ... View more