diff --git a/src/Servers/HttpSys/ref/Microsoft.AspNetCore.Server.HttpSys.netcoreapp.cs b/src/Servers/HttpSys/ref/Microsoft.AspNetCore.Server.HttpSys.netcoreapp.cs
index f25f75f41f..642c31fc91 100644
--- a/src/Servers/HttpSys/ref/Microsoft.AspNetCore.Server.HttpSys.netcoreapp.cs
+++ b/src/Servers/HttpSys/ref/Microsoft.AspNetCore.Server.HttpSys.netcoreapp.cs
@@ -15,6 +15,7 @@ namespace Microsoft.AspNetCore.Server.HttpSys
     {
         internal AuthenticationManager() { }
         public bool AllowAnonymous { get { throw null; } set { } }
+        public bool AutomaticAuthentication { [System.Runtime.CompilerServices.CompilerGeneratedAttribute]get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute]set { } }
         public Microsoft.AspNetCore.Server.HttpSys.AuthenticationSchemes Schemes { get { throw null; } set { } }
     }
     [System.FlagsAttribute]
diff --git a/src/Servers/HttpSys/src/AuthenticationManager.cs b/src/Servers/HttpSys/src/AuthenticationManager.cs
index 29f5a3495a..9b54f0ab0f 100644
--- a/src/Servers/HttpSys/src/AuthenticationManager.cs
+++ b/src/Servers/HttpSys/src/AuthenticationManager.cs
@@ -45,12 +45,22 @@ namespace Microsoft.AspNetCore.Server.HttpSys
             }
         }
 
+        /// <summary>
+        /// Indicates if anonymous requests will be surfaced to the application or challenged by the server.
+        /// The default value is true.
+        /// </summary>
         public bool AllowAnonymous
         {
             get { return _allowAnonymous; }
             set { _allowAnonymous = value; }
         }
 
+        /// <summary>
+        /// If true the server should set HttpContext.User. If false the server will only provide an
+        /// identity when explicitly requested by the AuthenticationScheme. The default is true.
+        /// </summary>
+        public bool AutomaticAuthentication { get; set; } = true;
+
         internal void SetUrlGroupSecurity(UrlGroup urlGroup)
         {
             Debug.Assert(_urlGroup == null, "SetUrlGroupSecurity called more than once.");
diff --git a/src/Servers/HttpSys/src/FeatureContext.cs b/src/Servers/HttpSys/src/FeatureContext.cs
index d2e2626874..cb0ba885b0 100644
--- a/src/Servers/HttpSys/src/FeatureContext.cs
+++ b/src/Servers/HttpSys/src/FeatureContext.cs
@@ -85,7 +85,11 @@ namespace Microsoft.AspNetCore.Server.HttpSys
             _query = Request.QueryString;
             _rawTarget = Request.RawUrl;
             _scheme = Request.Scheme;
-            _user = _requestContext.User;
+
+            if (requestContext.Server.Options.Authentication.AutomaticAuthentication)
+            {
+                _user = _requestContext.User;
+            }
 
             _responseStream = new ResponseStream(requestContext.Response.Body, OnResponseStart);
             _responseHeaders = Response.Headers;
diff --git a/src/Servers/HttpSys/test/FunctionalTests/AuthenticationTests.cs b/src/Servers/HttpSys/test/FunctionalTests/AuthenticationTests.cs
index be66db9655..2886b2d8d1 100644
--- a/src/Servers/HttpSys/test/FunctionalTests/AuthenticationTests.cs
+++ b/src/Servers/HttpSys/test/FunctionalTests/AuthenticationTests.cs
@@ -368,6 +368,38 @@ namespace Microsoft.AspNetCore.Server.HttpSys
             }
         }
 
+        [ConditionalTheory]
+        [InlineData(AuthenticationSchemes.Negotiate)]
+        [InlineData(AuthenticationSchemes.NTLM)]
+        // [InlineData(AuthenticationSchemes.Digest)] // TODO: Not implemented
+        // [InlineData(AuthenticationSchemes.Basic)] // Doesn't work with default creds
+        [InlineData(AuthenticationSchemes.Negotiate | AuthenticationSchemes.NTLM | /* AuthenticationSchemes.Digest |*/ AuthenticationSchemes.Basic)]
+        public async Task AuthTypes_DisableAutomaticAuthentication(AuthenticationSchemes authType)
+        {
+            using (var server = Utilities.CreateDynamicHost(out var address, options =>
+            {
+                options.Authentication.AutomaticAuthentication = false;
+                options.Authentication.Schemes = authType;
+                options.Authentication.AllowAnonymous = DenyAnoymous;
+            },
+            async httpContext =>
+            {
+                Assert.NotNull(httpContext.User);
+                Assert.NotNull(httpContext.User.Identity);
+                Assert.False(httpContext.User.Identity.IsAuthenticated);
+
+                var authenticateResult = await httpContext.AuthenticateAsync(HttpSysDefaults.AuthenticationScheme);
+
+                Assert.NotNull(authenticateResult.Principal);
+                Assert.NotNull(authenticateResult.Principal.Identity);
+                Assert.True(authenticateResult.Principal.Identity.IsAuthenticated);
+            }))
+            {
+                var response = await SendRequestAsync(address, useDefaultCredentials: true);
+                Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+            }
+        }
+
         private async Task<HttpResponseMessage> SendRequestAsync(string uri, bool useDefaultCredentials = false)
         {
             HttpClientHandler handler = new HttpClientHandler();