diff --git a/0046-MAN-Document-which-principal-does-the-AD-provider-us.patch b/0046-MAN-Document-which-principal-does-the-AD-provider-us.patch
new file mode 100644
index 0000000..028814b
--- /dev/null
+++ b/0046-MAN-Document-which-principal-does-the-AD-provider-us.patch
@@ -0,0 +1,47 @@
+From 549a960554f44e79d74c65d9f889ccaef497b11d Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Thu, 19 Apr 2018 09:38:47 +0200
+Subject: [PATCH] MAN: Document which principal does the AD provider use
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Administrators are often confused by the difference between what
+principal is used to authenticate to AD. Let's document that.
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 91d1e4c134b7c90abd2ff86b313175c542cd834c)
+---
+ src/man/include/ad_modified_defaults.xml | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/man/include/ad_modified_defaults.xml b/src/man/include/ad_modified_defaults.xml
+index c41b454f8..818a2bf78 100644
+--- a/src/man/include/ad_modified_defaults.xml
++++ b/src/man/include/ad_modified_defaults.xml
+@@ -58,6 +58,22 @@
+                     ldap_use_tokengroups = true
+                 </para>
+             </listitem>
++            <listitem>
++                <para>
++                    ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)
++                </para>
++                <para>
++                    The AD provider looks for a different principal than the
++                    LDAP provider by default, because in an Active Directory
++                    environment the principals are divided into two groups
++                    - User Principals and Service Principals. Only User
++                    Principal can be used to obtain a TGT and by default,
++                    computer object's principal is constructed from
++                    its sAMAccountName and the AD realm. The well-known
++                    host/hostname@REALM principal is a Service Principal
++                    and thus cannot be used to get a TGT with.
++                </para>
++            </listitem>
+         </itemizedlist>
+     </refsect2>
+ </refsect1>
+-- 
+2.14.3
+
diff --git a/sssd.spec b/sssd.spec
index 553c830..517cf8c 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -86,6 +86,7 @@ Patch0042: 0042-SDAP-Properly-handle-group-id-collision-when-renamin.patch
 Patch0043: 0043-SYSDB_OPS-Error-out-on-id-collision-when-adding-an-i.patch
 Patch0044: 0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch
 Patch0045: 0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch
+Patch0046: 0046-MAN-Document-which-principal-does-the-AD-provider-us.patch
 
 Patch0500: 0500-Revert-libwbclient-sssd-update-interface-to-version-.patch
 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
@@ -1302,6 +1303,7 @@ fi
                             list out of bound?
 - Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is
                             set.
+- Document which principal does the AD provider use
 
 * Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2
 - Resolves: upstream#3573 - sssd won't show netgroups with blank domain