diff --git a/src/Microsoft.AspNet.IISPlatformHandler/IISPlatformHandlerMiddleware.cs b/src/Microsoft.AspNet.IISPlatformHandler/IISPlatformHandlerMiddleware.cs
index f6140393cc..6c729fd762 100644
--- a/src/Microsoft.AspNet.IISPlatformHandler/IISPlatformHandlerMiddleware.cs
+++ b/src/Microsoft.AspNet.IISPlatformHandler/IISPlatformHandlerMiddleware.cs
@@ -105,7 +105,8 @@ namespace Microsoft.AspNet.IISPlatformHandler
 
                 if (_options.AutomaticAuthentication)
                 {
-                    var existingPrincipal = httpContext.User;
+                    // Don't get it from httpContext.User, that always returns a non-null anonymous user by default.
+                    var existingPrincipal = httpContext.Features.Get<IHttpAuthenticationFeature>()?.User;
                     if (existingPrincipal != null)
                     {
                         httpContext.User = SecurityHelper.MergeUserPrincipal(existingPrincipal, winPrincipal);
diff --git a/test/TestSites/StartupNtlmAuthentication.cs b/test/TestSites/StartupNtlmAuthentication.cs
index f007cd9c00..f950786272 100644
--- a/test/TestSites/StartupNtlmAuthentication.cs
+++ b/test/TestSites/StartupNtlmAuthentication.cs
@@ -2,10 +2,12 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Security.Principal;
 using Microsoft.AspNet.Builder;
 using Microsoft.AspNet.Http;
 using Microsoft.AspNet.Http.Authentication;
 using Microsoft.Extensions.Logging;
+using Xunit;
 
 namespace TestSites
 {
@@ -47,6 +49,7 @@ namespace TestSites
                 {
                     if (context.User.Identity.IsAuthenticated)
                     {
+                        Assert.IsType<WindowsPrincipal>(context.User);
                         return context.Response.WriteAsync(context.User.Identity.AuthenticationType);
                     }
                     else