diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp
index 1d5cee014..0d1fa92e5 100644
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@@ -1543,7 +1543,7 @@ void EmbeddedNetworkController::_request(
 					*(reinterpret_cast<InetAddress *>(&(r->target))) = t;
 					if (v.ss_family == t.ss_family)
 						*(reinterpret_cast<InetAddress *>(&(r->via))) = v;
-					++nc->routeCount;
+		 			++nc->routeCount;
 				}
 			}
 		}
@@ -1768,7 +1768,12 @@ void EmbeddedNetworkController::_startThreads()
 			std::vector<_MemberStatusKey> expired;
 			nlohmann::json network, member;
 			for(;;) {
+				expired.clear();
+				network.clear();
+				member.clear();
+
 				_RQEntry *qe = (_RQEntry *)0;
+				Metrics::network_config_request_queue_size = _queue.size();
 				auto timedWaitResult = _queue.get(qe, 1000);
 				if (timedWaitResult == BlockingQueue<_RQEntry *>::STOP) {
 					break;
@@ -1776,40 +1781,45 @@ void EmbeddedNetworkController::_startThreads()
 					if (qe) {
 						try {
 							_request(qe->nwid,qe->fromAddr,qe->requestPacketId,qe->identity,qe->metaData);
+							if (!_db.get(qe->nwid, network, qe->identity.address().toInt(), member)) {
+								delete qe;
+								qe = nullptr;
+								continue;
+							}
 						} catch (std::exception &e) {
 							fprintf(stderr,"ERROR: exception in controller request handling thread: %s" ZT_EOL_S,e.what());
 						} catch ( ... ) {
 							fprintf(stderr,"ERROR: exception in controller request handling thread: unknown exception" ZT_EOL_S);
 						}
 						delete qe;
+						qe = nullptr;
 					}
 				}
-
-				expired.clear();
-				int64_t now = OSUtils::now();
-				{
-					std::lock_guard<std::mutex> l(_expiringSoon_l);
-					for(auto s=_expiringSoon.begin();s!=_expiringSoon.end();) {
-						const int64_t when = s->first;
-						if (when <= now) {
-							// The user may have re-authorized, so we must actually look it up and check.
-							network.clear();
-							member.clear();
-							if (_db.get(s->second.networkId, network, s->second.nodeId, member)) {
+				
+				bool networkSSOEnabled = OSUtils::jsonBool(network["ssoEnabled"], false);
+				if (networkSSOEnabled) {
+					int64_t now = OSUtils::now();
+					{
+						std::lock_guard<std::mutex> l(_expiringSoon_l);
+						for(auto s=_expiringSoon.begin();s!=_expiringSoon.end();) {
+							Metrics::sso_expiration_checks++;
+							const int64_t when = s->first;
+							if (when <= now) {
 								int64_t authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
 								if (authenticationExpiryTime <= now) {
 									expired.push_back(s->second);
 								}
+								s = _expiringSoon.erase(s);
+							} else {
+								// Don't bother going further into the future than necessary.
+								break;
 							}
-							_expiringSoon.erase(s++);
-						} else {
-							// Don't bother going further into the future than necessary.
-							break;
 						}
 					}
-				}
-				for(auto e=expired.begin();e!=expired.end();++e) {
-					onNetworkMemberDeauthorize(nullptr, e->networkId, e->nodeId);
+					for(auto e=expired.begin();e!=expired.end();++e) {
+						Metrics::sso_member_deauth++;
+						onNetworkMemberDeauthorize(nullptr, e->networkId, e->nodeId);
+					}
 				}
 			}
 		});
diff --git a/osdep/BlockingQueue.hpp b/osdep/BlockingQueue.hpp
index cce37a04a..f3caff991 100644
--- a/osdep/BlockingQueue.hpp
+++ b/osdep/BlockingQueue.hpp
@@ -116,6 +116,11 @@ public:
 		return OK;
 	}
 
+	inline size_t size() const {
+		std::unique_lock<std::mutex> lock(m);
+		return q.size();
+	}
+
 private:
 	std::queue<T> q;
 	mutable std::mutex m;