diff --git a/lib/http.c b/lib/http.c
index 4c1cfc5499a85386d6b0f482b7628f7119a17577..beab543eed262dd5410a3bce8a95313e2463eae6 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -1435,8 +1435,14 @@ CURLcode Curl_http_done(struct connectdata *conn,
 
 #ifdef USE_SPNEGO
   if(data->state.proxyneg.state == GSS_AUTHSENT ||
-      data->state.negotiate.state == GSS_AUTHSENT)
+     data->state.negotiate.state == GSS_AUTHSENT) {
+    /* add forbid re-use if http-code != 401/407 as a WA only needed for
+     * 401/407 that signal auth failure (empty) otherwise state will be RECV
+     * with current code */
+    if((data->req.httpcode != 401) && (data->req.httpcode != 407))
+      connclose(conn, "Negotiate transfer completed");
     Curl_cleanup_negotiate(data);
+  }
 #endif
 
   /* set the proper values (possibly modified on POST) */