diff --git a/xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java b/xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java
index 0da06b3a753..37259afa1a9 100644
--- a/xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java
+++ b/xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java
@@ -219,8 +219,10 @@ public void handlerAdded(ChannelHandlerContext ctx) throws Exception {
         String sniToUse = upstreamTlsContext.getAutoHostSni()
             && !Strings.isNullOrEmpty(endpointHostname)
             ? endpointHostname : upstreamTlsContext.getSni();
-        if (sniToUse.isEmpty() && CertificateUtils.useChannelAuthorityIfNoSniApplicable) {
-          sniToUse = grpcHandler.getAuthority();
+        if (sniToUse.isEmpty()) {
+          if (CertificateUtils.useChannelAuthorityIfNoSniApplicable) {
+            sniToUse = grpcHandler.getAuthority();
+          }
           autoSniSanValidationDoesNotApply = true;
         } else {
           autoSniSanValidationDoesNotApply = false;