diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index a69ee37238..9e46c81ad4 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -855,6 +855,14 @@ int ssl_hook_UserCheck(request_rec *r)
         return HTTP_FORBIDDEN;
     }
 
+    /*
+     * We decline when we are in a subrequest.  The Authorization header
+     * would already be present if it was added in the main request.
+     */
+    if (!ap_is_initial_req(r)) {
+        return DECLINED;
+    }
+
     /*
      * Make sure the user is not able to fake the client certificate
      * based authentication by just entering an X.509 Subject DN