diff --git a/xroot_plugins/XrdSsiCtaRequestMessage.cpp b/xroot_plugins/XrdSsiCtaRequestMessage.cpp
index e4c4da5161d17d71d90d5f9c62dd48165816777b..e5d710b0535689f392788ae541cc0d0c04d2434a 100644
--- a/xroot_plugins/XrdSsiCtaRequestMessage.cpp
+++ b/xroot_plugins/XrdSsiCtaRequestMessage.cpp
@@ -72,9 +72,9 @@ void RequestMessage::process(const cta::xrd::Request &request, cta::xrd::Respons
 
       case Request::kAdmincmd: {
         
-         // Validate that the Kerberos user is an authorized CTA Admin user
-         if(m_protocol != Protocol::KRB5) {
-            throw cta::exception::UserError("[ERROR] Admin commands must be authenticated using the Kerberos 5 protocol.");
+         // Check that the user is authorized
+         if(!(m_protocol == Protocol::KRB5 || m_protocol == Protocol::SSS)) {
+            throw cta::exception::UserError("[ERROR] Admin commands must be authenticated using Kerberos 5 or SSS");
          }
          m_scheduler.authorizeAdmin(m_cliIdentity, m_lc);