diff --git a/src/app/clusters/door-lock-server/door-lock-server.cpp b/src/app/clusters/door-lock-server/door-lock-server.cpp
index 757063b5f173af..f63248d022676b 100644
--- a/src/app/clusters/door-lock-server/door-lock-server.cpp
+++ b/src/app/clusters/door-lock-server/door-lock-server.cpp
@@ -1367,18 +1367,29 @@ chip::FabricIndex DoorLockServer::getFabricIndex(const chip::app::CommandHandler
 
 chip::NodeId DoorLockServer::getNodeId(const chip::app::CommandHandler * commandObj)
 {
+    // TODO: Why are we doing all these checks?  At all the callsites we have
+    // just received a command, so we better have a handler, exchange, session,
+    // etc.  The only thing we should be checking is that it's a CASE session.
     if (nullptr == commandObj || nullptr == commandObj->GetExchangeContext())
     {
         ChipLogError(Zcl, "Cannot access ExchangeContext of Command Object for Node ID");
         return kUndefinedNodeId;
     }
 
-    auto secureSession = commandObj->GetExchangeContext()->GetSessionHandle()->AsSecureSession();
-    if (nullptr == secureSession)
+    if (!commandObj->GetExchangeContext()->HasSessionHandle())
     {
-        ChipLogError(Zcl, "Cannot access Secure session handle of Command Object for Node ID");
+        ChipLogError(Zcl, "Cannot access session of Command Object for Node ID");
+        return kUndefinedNodeId;
+    }
+
+    auto descriptor = commandObj->GetExchangeContext()->GetSessionHandle()->GetSubjectDescriptor();
+    if (descriptor.authMode != Access::AuthMode::kCase)
+    {
+        ChipLogError(Zcl, "Cannot get Node ID from non-CASE session of Command Object");
+        return kUndefinedNodeId;
     }
-    return secureSession->GetPeerNodeId();
+
+    return descriptor.subject;
 }
 
 bool DoorLockServer::userIndexValid(chip::EndpointId endpointId, uint16_t userIndex)