diff --git a/projects/cadcAccessControl/src/ca/nrc/cadc/ac/client/GMSClient.java b/projects/cadcAccessControl/src/ca/nrc/cadc/ac/client/GMSClient.java
index 6f1489c9f4999d2fcef6409d95c563622c3d18dc..5c567e44b520cb8c14d5f408ea727e6b025535c0 100755
--- a/projects/cadcAccessControl/src/ca/nrc/cadc/ac/client/GMSClient.java
+++ b/projects/cadcAccessControl/src/ca/nrc/cadc/ac/client/GMSClient.java
@@ -115,7 +115,8 @@ public class GMSClient
     private static final Logger log = Logger.getLogger(GMSClient.class);
     
     // socket factory to use when connecting
-    public SSLSocketFactory sslSocketFactory;
+    private SSLSocketFactory sslSocketFactory;
+    private SSLSocketFactory mySocketFactory;
     
     private String baseURL;
 
@@ -947,23 +948,40 @@ public class GMSClient
      */
     public void setSSLSocketFactory(SSLSocketFactory sslSocketFactory)
     {
+        if (mySocketFactory != null)
+            throw new IllegalStateException("Illegal use of GMSClient: "
+                    + "cannot set SSLSocketFactory after using one created from Subject");
         this.sslSocketFactory = sslSocketFactory;
     }
     
-    /**
-     * @return the sslSocketFactory
-     */
+    private int subjectHashCode = 0;
     private SSLSocketFactory getSSLSocketFactory()
     {
-        if (this.sslSocketFactory == null)
+        AccessControlContext ac = AccessController.getContext();
+        Subject s = Subject.getSubject(ac);
+        
+        // no real Subject: can only use the one from setSSLSocketFactory
+        if (s == null || s.getPrincipals().isEmpty())
+        {
+            return sslSocketFactory;
+        }
+        
+        // lazy init
+        if (this.mySocketFactory == null)
+        {
+            log.debug("getSSLSocketFactory: " + s);
+            this.mySocketFactory = SSLUtil.getSocketFactory(s);
+            this.subjectHashCode = s.hashCode();
+        }
+        else
         {
-            log.debug("initHTTPS: lazy init");
-            AccessControlContext ac = AccessController.getContext();
-            Subject s = Subject.getSubject(ac);
-            this.sslSocketFactory = SSLUtil.getSocketFactory(s);
-            log.debug("Socket Factory: " + this.sslSocketFactory);
+            int c = s.hashCode();
+            if (c != subjectHashCode)
+                throw new IllegalStateException("Illegal use of " 
+                        + this.getClass().getSimpleName()
+                        + ": subject change not supported for internal SSLSocketFactory");
         }
-        return this.sslSocketFactory;
+        return this.mySocketFactory;
     }
     
     protected void clearCache()