diff --git a/certidude/auth.py b/certidude/auth.py
index 4fc743f..0be6063 100644
--- a/certidude/auth.py
+++ b/certidude/auth.py
@@ -46,6 +46,8 @@ def authenticate(optional=False):
                 context.step(b64decode(token))
             except TypeError: # base64 errors
                 raise falcon.HTTPBadRequest("Bad request", "Malformed token")
+            except gssapi.raw.exceptions.BadMechanismError:
+                raise falcon.HTTPBadRequest("Bad request", "Unsupported authentication mechanism (NTLM?) was offered. Please make sure you've logged into the computer with domain user account. The web interface should not prompt for username or password.")
 
             username, domain = str(context.initiator_name).split("@")
 
diff --git a/tests/test_cli.py b/tests/test_cli.py
index f820081..30d2a7d 100644
--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@@ -887,6 +887,10 @@ def test_cli_setup_authority():
     assert "No Kerberos ticket offered" in r.text, r.text
     r = requests.get("http://ca.example.lan/api/", headers={"Authorization": "Negotiate blerrgh"})
     assert r.status_code == 400, r.text
+    assert "Malformed token" in r.text
+    r = requests.get("http://ca.example.lan/api/", headers={"Authorization": "Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKADk4AAAADw=="})
+    assert r.status_code == 400, r.text
+    assert "Unsupported authentication mechanism (NTLM" in r.text
     r = requests.get("http://ca.example.lan/api/", auth=auth)
     assert r.status_code == 200, r.text