diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c
index 5c3190a82eb..c5dbec973d1 100644
--- a/librpc/rpc/dcesrv_auth.c
+++ b/librpc/rpc/dcesrv_auth.c
@@ -130,6 +130,12 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call)
 	auth->auth_level = call->in_auth_info.auth_level;
 	auth->auth_context_id = call->in_auth_info.auth_context_id;
 
+	if (auth->auth_level == DCERPC_AUTH_LEVEL_CONNECT &&
+	    !call->conn->got_explicit_auth_level_connect)
+	{
+		call->conn->default_auth_level_connect = auth;
+	}
+
 	cb->auth.become_root();
 	status = cb->auth.gensec_prepare(
 		auth,
@@ -379,12 +385,6 @@ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
 	}
 	auth->auth_finished = true;
 
-	if (auth->auth_level == DCERPC_AUTH_LEVEL_CONNECT &&
-	    !call->conn->got_explicit_auth_level_connect)
-	{
-		call->conn->default_auth_level_connect = auth;
-	}
-
 	if (call->pkt.ptype != DCERPC_PKT_AUTH3) {
 		return NT_STATUS_OK;
 	}
@@ -620,12 +620,12 @@ bool dcesrv_auth_pkt_pull(struct dcesrv_call_state *call,
 		return false;
 	}
 
-	if (!auth->auth_finished) {
-		call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
+	if (auth->auth_invalid) {
 		return false;
 	}
 
-	if (auth->auth_invalid) {
+	if (!auth->auth_finished) {
+		call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
 		return false;
 	}
 
diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c
index 0c8c7ebb17c..ebe6e662202 100644
--- a/librpc/rpc/dcesrv_core.c
+++ b/librpc/rpc/dcesrv_core.c
@@ -2338,7 +2338,13 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn,
 		dcesrv_default_auth_state_prepare_request(call);
 
 		if (call->auth_state->auth_started &&
+		    !call->auth_state->auth_invalid &&
 		    !call->auth_state->auth_finished) {
+			/*
+			 * We have this check here instead of
+			 * relying on the check in dcesrv_auth_pkt_pull()
+			 * because the fault should have context_id=0
+			 */
 			return dcesrv_fault_disconnect(call,
 					DCERPC_NCA_S_PROTO_ERROR);
 		}
diff --git a/selftest/knownfail.d/dcerpc-auth-pad b/selftest/knownfail.d/dcerpc-auth-pad
index cbfd1442c86..4c77d622737 100644
--- a/selftest/knownfail.d/dcerpc-auth-pad
+++ b/selftest/knownfail.d/dcerpc-auth-pad
@@ -1,4 +1,3 @@
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_auth3_align2_ntlm
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_auth3_align2_spnego
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_ntlm_2889_auth3
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_auth3