diff --git a/src/unix/kerberos_gss.cc b/src/unix/kerberos_gss.cc
index ddcf39b5..14668be6 100644
--- a/src/unix/kerberos_gss.cc
+++ b/src/unix/kerberos_gss.cc
@@ -468,7 +468,7 @@ gss_result authenticate_gss_client_wrap(gss_client_state* state,
         input_token.length = len;
     }
 
-    if (user) {
+    if (user && *user) {
         // get bufsize
         // server_conf_flags = ((char*) input_token.value)[0];
         ((char*)input_token.value)[0] = 0;
diff --git a/test/kerberos_tests.js b/test/kerberos_tests.js
index 4be9de67..0cc118b8 100644
--- a/test/kerberos_tests.js
+++ b/test/kerberos_tests.js
@@ -168,5 +168,24 @@ describe('Kerberos', function () {
         });
       });
     });
+
+    describe('options.user', function () {
+      context('valid values for `user`', function () {
+        test('no options provided', async function () {
+          const rs = await client.wrap('x'.repeat(100));
+          expect(rs).length.to.be.greaterThan(100);
+        });
+
+        test('options provided (user omitted)', async function () {
+          const rs = await client.wrap('x'.repeat(100), {});
+          expect(rs).length.to.be.greaterThan(100);
+        });
+
+        test('options provided (user set)', async function () {
+          const rs = await client.wrap('x'.repeat(100), { user: 'foo' });
+          expect(rs).length.to.be.lessThan(100);
+        });
+      });
+    });
   });
 });