diff --git a/library/Icinga/Authentication/Backend/LdapUserBackend.php b/library/Icinga/Authentication/Backend/LdapUserBackend.php
index d19437ae6..fbda2e74f 100644
--- a/library/Icinga/Authentication/Backend/LdapUserBackend.php
+++ b/library/Icinga/Authentication/Backend/LdapUserBackend.php
@@ -127,10 +127,11 @@ class LdapUserBackend extends UserBackend
      *
      * @param   User    $user
      * @param   string  $password
-     * @param   boolean $healthCheck        Perform additional health checks to generate more useful
-     *                                          exceptions in case of a configuration or backend error
+     * @param   boolean $healthCheck        Perform additional health checks to generate more useful exceptions in case
+     *                                      of a configuration or backend error
      *
-     * @return  bool    True when the authentication was successful, false when the username or password was invalid
+     * @return  bool                        True when the authentication was successful, false when the username
+     *                                      or password was invalid
      * @throws  AuthenticationException     When an error occurred during authentication and authentication is not possible
      */
     public function authenticate(User $user, $password, $healthCheck = true)
@@ -150,14 +151,15 @@ class LdapUserBackend extends UserBackend
                 );
             }
         }
+        if (! $this->hasUser($user)) {
+            return false;
+        }
         try {
-            $userDn = $this->conn->fetchDN($this->createQuery($user->getUsername()));
-            if (!$userDn) {
-                // User does not exist
-                return false;
-            }
-            return $this->conn->testCredentials($userDn, $password);
-        } catch (Exception $e) {
+            return $this->conn->testCredentials(
+                $this->conn->fetchDN($this->createQuery($user->getUsername())),
+                $password
+            );
+        } catch (\Exception $e) {
             // Error during authentication of this specific user
             throw new AuthenticationException(
                 sprintf(
diff --git a/library/Icinga/Protocol/Ldap/Connection.php b/library/Icinga/Protocol/Ldap/Connection.php
index 60ab16620..66711b97a 100644
--- a/library/Icinga/Protocol/Ldap/Connection.php
+++ b/library/Icinga/Protocol/Ldap/Connection.php
@@ -223,16 +223,22 @@ class Connection
     /**
      * Fetch the distinguished name of the first result of the given query
      *
-     * @param       $query
-     * @param array $fields
+     * @param       $query   The query returning the result set
+     * @param array $fields  The fields to fetch
      *
-     * @return null|string   Returns the distinguished name, or false when the given query yields no results
+     * @return string        Returns the distinguished name, or false when the given query yields no results
+     * @throws \Exception    When the query result is empty and contains no DN to fetch
      */
     public function fetchDN($query, $fields = array())
     {
         $rows = $this->fetchAll($query, $fields);
         if (count($rows) !== 1) {
-            return null;
+            throw new \Exception(
+                sprintf(
+                    'Cannot fetch single DN for %s',
+                    $query
+                )
+            );
         }
         return key($rows);
     }