diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp
index 30a1e0e57..8392356cb 100644
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@@ -1769,9 +1769,6 @@ void EmbeddedNetworkController::_startThreads()
 			nlohmann::json network, member;
 			for(;;) {
 				expired.clear();
-				network.clear();
-				member.clear();
-
 				_RQEntry *qe = (_RQEntry *)0;
 				Metrics::network_config_request_queue_size = _queue.size();
 				auto timedWaitResult = _queue.get(qe, 1000);
@@ -1781,33 +1778,6 @@ void EmbeddedNetworkController::_startThreads()
 					if (qe) {
 						try {
 							_request(qe->nwid,qe->fromAddr,qe->requestPacketId,qe->identity,qe->metaData);
-							if (_db.get(qe->nwid, network, qe->identity.address().toInt(), member)) {
-								bool networkSSOEnabled = OSUtils::jsonBool(network["ssoEnabled"], false);
-								if (networkSSOEnabled) {
-									int64_t now = OSUtils::now();
-									{
-										std::lock_guard<std::mutex> l(_expiringSoon_l);
-										for(auto s=_expiringSoon.begin();s!=_expiringSoon.end();) {
-											Metrics::sso_expiration_checks++;
-											const int64_t when = s->first;
-											if (when <= now) {
-												int64_t authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
-												if (authenticationExpiryTime <= now) {
-													expired.push_back(s->second);
-												}
-												s = _expiringSoon.erase(s);
-											} else {
-												// Don't bother going further into the future than necessary.
-												break;
-											}
-										}
-									}
-									for(auto e=expired.begin();e!=expired.end();++e) {
-										Metrics::sso_member_deauth++;
-										onNetworkMemberDeauthorize(nullptr, e->networkId, e->nodeId);
-									}
-								}
-							}
 						} catch (std::exception &e) {
 							fprintf(stderr,"ERROR: exception in controller request handling thread: %s" ZT_EOL_S,e.what());
 						} catch ( ... ) {
@@ -1817,6 +1787,34 @@ void EmbeddedNetworkController::_startThreads()
 						qe = nullptr;
 					}
 				}
+
+				int64_t now = OSUtils::now();
+				{
+					std::lock_guard<std::mutex> l(_expiringSoon_l);
+					for(auto s=_expiringSoon.begin();s!=_expiringSoon.end();) {
+						Metrics::sso_expiration_checks++;
+						const int64_t when = s->first;
+						if (when <= now) {
+							// The user may have re-authorized, so we must actually look it up and check.
+							network.clear();
+							member.clear();
+							if (_db.get(s->second.networkId, network, s->second.nodeId, member)) {
+								int64_t authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
+								if (authenticationExpiryTime <= now) {
+									expired.push_back(s->second);
+								}
+							}
+							s = _expiringSoon.erase(s);
+						} else {
+							// Don't bother going further into the future than necessary.
+							break;
+						}
+					}
+				}
+				for(auto e=expired.begin();e!=expired.end();++e) {
+					Metrics::sso_member_deauth++;
+					onNetworkMemberDeauthorize(nullptr, e->networkId, e->nodeId);
+				}
 			}
 		});
 	}