diff --git a/cadc-access-control-identity/build.gradle b/cadc-access-control-identity/build.gradle
index eff722d478495f414a25a7608c5c7fc0631186e5..c35de04038762f753af73c7aaecc5457977b9ffb 100644
--- a/cadc-access-control-identity/build.gradle
+++ b/cadc-access-control-identity/build.gradle
@@ -13,7 +13,7 @@ repositories {
 sourceCompatibility = 1.7
 group = 'org.opencadc'
 
-version = '1.0.1'
+version = '1.0.2'
 
 dependencies {
     compile 'log4j:log4j:1.2.+'
diff --git a/cadc-access-control-identity/src/main/java/ca/nrc/cadc/auth/AuthenticatorImpl.java b/cadc-access-control-identity/src/main/java/ca/nrc/cadc/auth/AuthenticatorImpl.java
index 750ebf19e0ff2f643754e285c2b158e0a4fab24f..a679af599ab946910962bd0bd8ebfa6c0245e18a 100644
--- a/cadc-access-control-identity/src/main/java/ca/nrc/cadc/auth/AuthenticatorImpl.java
+++ b/cadc-access-control-identity/src/main/java/ca/nrc/cadc/auth/AuthenticatorImpl.java
@@ -4,7 +4,6 @@ import java.net.URI;
 import java.net.URL;
 
 import javax.security.auth.Subject;
-import javax.security.auth.x500.X500Principal;
 
 import org.apache.log4j.Logger;
 
@@ -50,17 +49,12 @@ public class AuthenticatorImpl implements Authenticator
             identityManager.augmentSubject(subject);
             prof.checkpoint("AuthenticatorImpl.augmentSubject()");
 
-            if (subject.getPrincipals(HttpPrincipal.class).isEmpty()) // no matching cadc account
+            if (subject.getPrincipals(NumericPrincipal.class).isEmpty()) // no matching internal account
             {
-                // check to see if they connected with an client certificate at least
-                // they should be able to use services with only a client certificate
-                if (subject.getPrincipals(X500Principal.class).isEmpty())
-                {
-                    // if the caller had an invalid or forged CADC_SSO cookie, we could get
-                    // in here and then not match any known identity: drop to anon
-                    log.debug("HttpPrincipal not found - dropping to anon: " + subject);
-                    subject = AuthenticationUtil.getAnonSubject();
-                }
+                // if the caller had an invalid or forged CADC_SSO cookie, we could get
+                // in here and then not match any known identity: drop to anon
+                log.debug("NumericPrincipal not found - dropping to anon: " + subject);
+                subject = AuthenticationUtil.getAnonSubject();
             }
         }
 
diff --git a/cadc-access-control-server/build.gradle b/cadc-access-control-server/build.gradle
index 06b670f9e2b17f6aeb4fdcb0908cc1795a8081b0..be6ac30126606b94bb19a4a010595d90ff4e6577 100644
--- a/cadc-access-control-server/build.gradle
+++ b/cadc-access-control-server/build.gradle
@@ -13,7 +13,7 @@ repositories {
 sourceCompatibility = 1.7
 group = 'org.opencadc'
 
-version = '1.0.1'
+version = '1.0.2'
 
 dependencies {
     compile 'log4j:log4j:1.2.+'
diff --git a/cadc-access-control-server/src/main/java/ca/nrc/cadc/auth/AuthenticatorImpl.java b/cadc-access-control-server/src/main/java/ca/nrc/cadc/auth/AuthenticatorImpl.java
index 06714bb480b2696f99601c0b9791ed73178d2b5f..1c7357a178c8d9429dc7387e63e775491ffb77f7 100644
--- a/cadc-access-control-server/src/main/java/ca/nrc/cadc/auth/AuthenticatorImpl.java
+++ b/cadc-access-control-server/src/main/java/ca/nrc/cadc/auth/AuthenticatorImpl.java
@@ -69,6 +69,10 @@
 
 package ca.nrc.cadc.auth;
 
+import javax.security.auth.Subject;
+
+import org.apache.log4j.Logger;
+
 import ca.nrc.cadc.ac.Group;
 import ca.nrc.cadc.ac.Role;
 import ca.nrc.cadc.ac.User;
@@ -77,11 +81,6 @@ import ca.nrc.cadc.ac.client.GroupMemberships;
 import ca.nrc.cadc.ac.server.PluginFactory;
 import ca.nrc.cadc.ac.server.UserPersistence;
 import ca.nrc.cadc.profiler.Profiler;
-import org.apache.log4j.Logger;
-
-import javax.security.auth.Subject;
-
-import java.security.Principal;
 
 /**
  * Implementation of default Authenticator for AuthenticationUtil in cadcUtil.
@@ -119,9 +118,9 @@ public class AuthenticatorImpl implements Authenticator
 
             // if the caller had an invalid or forged CADC_SSO cookie, we could get
             // in here and then not match any known identity: drop to anon
-            if ( subject.getPrincipals(HttpPrincipal.class).isEmpty() ) // no matching cadc account
+            if ( subject.getPrincipals(NumericPrincipal.class).isEmpty() ) // no matching internal account
             {
-                log.debug("HttpPrincipal not found - dropping to anon: " + subject);
+                log.debug("NumericPrincipal not found - dropping to anon: " + subject);
                 subject = AuthenticationUtil.getAnonSubject();
             }
         }
@@ -162,7 +161,7 @@ public class AuthenticatorImpl implements Authenticator
                 catch(Exception bug)
                 {
                     throw new RuntimeException("BUG: found User.appData but could not store in Subject as GroupMemberships cache", bug);
-                    
+
                 }
             }
             user.appData = null; // avoid loop that prevents GC???