diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp
index d228a3685..9a4a09844 100644
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@@ -1361,14 +1361,13 @@ void EmbeddedNetworkController::_request(
 	bool networkSSOEnabled = OSUtils::jsonBool(network["ssoEnabled"], false);
 	bool memberSSOExempt = OSUtils::jsonBool(member["ssoExempt"], false);
 	std::string authenticationURL;
-
 	if (networkSSOEnabled && !memberSSOExempt) {
 		authenticationURL = _db.getSSOAuthURL(member, _ssoRedirectURL);
 		std::string memberId = member["id"];
 		fprintf(stderr, "ssoEnabled && !ssoExempt %s-%s\n", nwids, memberId.c_str());
 		uint64_t authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
 		fprintf(stderr, "authExpiryTime: %lld\n", authenticationExpiryTime);
-		if (authenticationExpiryTime >= now) {
+		if (authenticationExpiryTime < now) {
 			if (!authenticationURL.empty()) {
 				Dictionary<3072> authInfo;
 				authInfo.add("aU", authenticationURL.c_str());
@@ -1376,8 +1375,8 @@ void EmbeddedNetworkController::_request(
 				DB::cleanMember(member);
 				_db.save(member,true);
 				_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes());
+				return;
 			}
-			return;
 		} else if (authorized) {
 			_db.memberWillExpire(authenticationExpiryTime, nwid, identity.address().toInt());
 		}