diff --git a/arangod/Auth/UserManager.cpp b/arangod/Auth/UserManager.cpp
index 0b209f7ccd..8cdc01563b 100644
--- a/arangod/Auth/UserManager.cpp
+++ b/arangod/Auth/UserManager.cpp
@@ -654,9 +654,9 @@ Result auth::UserManager::removeAllUsers() {
 
 bool auth::UserManager::checkPassword(std::string const& username,
                                       std::string const& password) {
-  // AuthResult result(username);
-  if (username.empty() || IsRole(username)) {
-    return false;
+  if (username.empty() || IsRole(username) ||
+      ServerState::serverMode() == ServerState::Mode::MAINTENANCE) {
+    return false; // we cannot authenticate during bootstrap
   }
 
   loadFromDB();
diff --git a/arangod/GeneralServer/GeneralCommTask.cpp b/arangod/GeneralServer/GeneralCommTask.cpp
index f8a99719b4..708227d4f9 100644
--- a/arangod/GeneralServer/GeneralCommTask.cpp
+++ b/arangod/GeneralServer/GeneralCommTask.cpp
@@ -164,22 +164,23 @@ GeneralCommTask::RequestFlow GeneralCommTask::prepareExecution(
   // now check the authentication will determine if the user can access
   // this path checks db permissions and contains exceptions for the
   // users API to allow logins
-  const rest::ResponseCode ok = GeneralCommTask::canAccessPath(req);
-  if (ok == rest::ResponseCode::UNAUTHORIZED) {
+  const rest::ResponseCode code = GeneralCommTask::canAccessPath(req);
+  if (code == rest::ResponseCode::UNAUTHORIZED) {
     addErrorResponse(rest::ResponseCode::UNAUTHORIZED,
                      req.contentTypeResponse(), req.messageId(),
                      TRI_ERROR_FORBIDDEN,
                      "not authorized to execute this request");
     return RequestFlow::Abort;
   }
-  TRI_ASSERT(ok == rest::ResponseCode::OK);  // nothing else allowed
-
-  // check for an HLC time stamp, only after authentication
-  std::string const& timeStamp = req.header(StaticStrings::HLCHeader, found);
-  if (found) {
-    uint64_t parsed = basics::HybridLogicalClock::decodeTimeStamp(timeStamp);
-    if (parsed != 0 && parsed != UINT64_MAX) {
-      TRI_HybridLogicalClock(parsed);
+  
+  if (code == rest::ResponseCode::OK && req.authenticated()) {
+    // check for an HLC time stamp only with auth
+    std::string const& timeStamp = req.header(StaticStrings::HLCHeader, found);
+    if (found) {
+      uint64_t parsed = basics::HybridLogicalClock::decodeTimeStamp(timeStamp);
+      if (parsed != 0 && parsed != UINT64_MAX) {
+        TRI_HybridLogicalClock(parsed);
+      }
     }
   }
 
@@ -473,6 +474,8 @@ rest::ResponseCode GeneralCommTask::canAccessPath(
   if (!_auth->isActive()) {
     // no authentication required at all
     return rest::ResponseCode::OK;
+  } else if (ServerState::serverMode() == ServerState::Mode::MAINTENANCE) {
+    return rest::ResponseCode::SERVICE_UNAVAILABLE;
   }
 
   std::string const& path = request.requestPath();
diff --git a/arangod/GeneralServer/HttpCommTask.cpp b/arangod/GeneralServer/HttpCommTask.cpp
index a0f4e95f32..f941a58a67 100644
--- a/arangod/GeneralServer/HttpCommTask.cpp
+++ b/arangod/GeneralServer/HttpCommTask.cpp
@@ -762,16 +762,13 @@ void HttpCommTask::resetState() {
 
 ResponseCode HttpCommTask::handleAuthHeader(HttpRequest* request) const {
   bool found;
-  std::string const& authStr =
-    request->header(StaticStrings::Authorization, found);
-  
+  std::string const& authStr = request->header(StaticStrings::Authorization, found);
   if (!found) {
     events::CredentialsMissing(request);
     return rest::ResponseCode::UNAUTHORIZED;
   }
   
   size_t methodPos = authStr.find_first_of(' ');
-  
   if (methodPos != std::string::npos) {
     // skip over authentication method
     char const* auth = authStr.c_str() + methodPos;