diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 5242bb1dd3..6fdb30ec05 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1861,6 +1861,13 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey)
     }
 
     if (!r->client->entry.flags.synthetic) {
+	char *cpn = NULL;
+
+	krb5_unparse_name(r->context, r->client->entry.principal, &cpn);
+	_kdc_audit_addkv((kdc_request_t)r, 0, "canon_client_name", "%s",
+			     cpn ? cpn : "<unknown>");
+	krb5_xfree(cpn);
+
 	ret = _kdc_pac_add_canon_name_buffer(r->context, p,
 					     r->client_princ,
 					     r->client->entry.principal);
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index e714cdd3aa..e82619e0fb 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -806,6 +806,13 @@ tgs_make_reply(astgs_request_t r,
      */
     if (mspac && !et.flags.anonymous) {
 	if (r->client_princ) {
+	    char *cpn = NULL;
+
+	    krb5_unparse_name(r->context, r->client_princ, &cpn);
+	    _kdc_audit_addkv((kdc_request_t)r, 0, "canon_client_name", "%s",
+			     cpn ? cpn : "<unknown>");
+	    krb5_xfree(cpn);
+
 	    ret = _kdc_pac_add_canon_name_buffer(r->context, mspac,
 						 tgt_name, /* client from TGT */
 						 r->client_princ); /* client from PAC */