diff --git a/src/remote/client/interface.cpp b/src/remote/client/interface.cpp
index 195de4bbf7..23b1888848 100644
--- a/src/remote/client/interface.cpp
+++ b/src/remote/client/interface.cpp
@@ -7417,6 +7417,7 @@ static rem_port* analyze(ClntAuthBlock& cBlock, PathName& attach_name, unsigned
 	while (true)
 	{
 		authenticateStep0(cBlock);
+		const NoCaseString savePluginName(cBlock.plugins.name());
 
 		try
 		{
@@ -7504,6 +7505,38 @@ static rem_port* analyze(ClntAuthBlock& cBlock, PathName& attach_name, unsigned
 				}
 			}
 
+#ifdef TRUSTED_AUTH
+			if (port && !legacySSP)
+			{
+				const PACKET& const packet = port->port_context->rdb_packet;
+				if (port->port_protocol < PROTOCOL_VERSION13 && packet.p_operation == op_accept)
+				{
+					// old server supports legacy SSP only
+					legacySSP = true;
+				}
+				else if (port->port_protocol >= PROTOCOL_VERSION13 && packet.p_operation == op_accept_data)
+				{
+					// more recent server reports if it supports non-legacy SSP
+					legacySSP = !(packet.p_acpd.p_acpt_type & pflag_win_sspi_nego);
+				}
+				else
+					break;
+
+				Auth::setLegacySSP(legacySSP);
+
+				if (legacySSP && savePluginName == "WIN_SSPI")
+				{
+					// reinitialize Win_SSPI plugin and send new data
+					attach_name = save_attach_name;
+
+					cBlock.plugins.set(savePluginName.c_str());
+
+					disconnect(port, false);
+					continue;
+				}
+			}
+#endif
+
 			break;
 		}
 		catch (const Exception&)
diff --git a/src/remote/protocol.h b/src/remote/protocol.h
index 3ada81ee6c..5a0c9ffdb3 100644
--- a/src/remote/protocol.h
+++ b/src/remote/protocol.h
@@ -141,7 +141,8 @@ const USHORT ptype_lazy_send	= 5;	// Deferred packets delivery
 const USHORT ptype_MASK			= 0xFF;	// Mask - up to 255 types of protocol
 //
 // upper byte is used for protocol flags
-const USHORT pflag_compress		= 0x100;	// Turn on compression if possible
+const USHORT pflag_compress			= 0x100;	// Turn on compression if possible
+const USHORT pflag_win_sspi_nego	= 0x200;	// Win_SSPI supports Negotiate security package
 
 // Generic object id
 
diff --git a/src/remote/server/server.cpp b/src/remote/server/server.cpp
index fe48fed63c..01484fb9ee 100644
--- a/src/remote/server/server.cpp
+++ b/src/remote/server/server.cpp
@@ -1985,6 +1985,9 @@ static bool accept_connection(rem_port* port, P_CNCT* connect, PACKET* send)
 	send->p_acpd.p_acpt_version = port->port_protocol = version;
 	send->p_acpd.p_acpt_architecture = architecture;
 	send->p_acpd.p_acpt_type = type | (compress ? pflag_compress : 0);
+#ifdef TRUSTED_AUTH
+	send->p_acpd.p_acpt_type |= pflag_win_sspi_nego;
+#endif
 	send->p_acpd.p_acpt_authenticated = 0;
 
 	send->p_acpt.p_acpt_version = port->port_protocol = version;