diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp
index 174916fec..750ced598 100644
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@@ -1331,6 +1331,9 @@ void EmbeddedNetworkController::_request(
 		member["lastAuthorizedCredential"] = autoAuthCredential;
 	}
 
+	const int64_t authenticationExpiryTime = member["authenticationExpiryTime"];
+	const std::string authenticationURL = member["authenticationURL"];
+
 	if (authorized) {
 		// Update version info and meta-data if authorized and if this is a genuine request
 		if (requestPacketId) {
@@ -1357,18 +1360,12 @@ void EmbeddedNetworkController::_request(
 			}
 		}
 
-		const int64_t authenticationExpiryTime = member["authenticationExpiryTime"];
 		if ((authenticationExpiryTime >= 0)&&(authenticationExpiryTime < now)) {
-			const std::string authenticationURL = member["authenticationURL"];
-			if (authenticationURL.empty()) {
-				_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, nullptr, 0);
-				return;
-			} else {
-				Dictionary<1024> authInfo;
+			Dictionary<1024> authInfo;
+			if (!authenticationURL.empty())
 				authInfo.add("aU", authenticationURL.c_str());
-				_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes());
-				return;
-			}
+			_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes());
+			return;
 		}
 	} else {
 		// If they are not authorized, STOP!
diff --git a/one.cpp b/one.cpp
index 035730bde..d83ef5bea 100644
--- a/one.cpp
+++ b/one.cpp
@@ -794,6 +794,14 @@ static int cli(int argc,char **argv)
 								OSUtils::jsonString(n["type"],"-").c_str(),
 								OSUtils::jsonString(n["portDeviceName"],"-").c_str(),
 								aa.c_str());
+							int64_t authenticationExpiryTime = n["authenticationExpiryTime"];
+							if (authenticationExpiryTime >= 0) {
+								if (n["status"] == "AUTHENTICATION_REQUIRED") {
+									printf("    SSO authentication required, URL: %s" ZT_EOL_S, OSUtils::jsonString(n["authenticationURL"], "(null)").c_str());
+								} else {
+									printf("    SSO authentication expires in %lld" ZT_EOL_S, (authenticationExpiryTime - OSUtils::now()) / 1000LL);
+								}
+							}
 						}
 					}
 				}
diff --git a/service/OneService.cpp b/service/OneService.cpp
index 9c45890d3..5dfd04839 100644
--- a/service/OneService.cpp
+++ b/service/OneService.cpp
@@ -184,6 +184,7 @@ static void _networkToJson(nlohmann::json &nj,const ZT_VirtualNetworkConfig *nc,
 		case ZT_NETWORK_STATUS_NOT_FOUND:                nstatus = "NOT_FOUND"; break;
 		case ZT_NETWORK_STATUS_PORT_ERROR:               nstatus = "PORT_ERROR"; break;
 		case ZT_NETWORK_STATUS_CLIENT_TOO_OLD:           nstatus = "CLIENT_TOO_OLD"; break;
+		case ZT_NETWORK_STATUS_AUTHENTICATION_REQUIRED:  nstatus = "AUTHENTICATION_REQUIRED"; break;
 	}
 	switch(nc->type) {
 		case ZT_NETWORK_TYPE_PRIVATE:                    ntype = "PRIVATE"; break;