diff --git a/src/libstore/filetransfer.cc b/src/libstore/filetransfer.cc
index e9e4b2c44..9e1cccd72 100644
--- a/src/libstore/filetransfer.cc
+++ b/src/libstore/filetransfer.cc
@@ -322,7 +322,7 @@ struct curlFileTransfer : public FileTransfer
             curl_easy_setopt(req, CURLOPT_PIPEWAIT, 1);
             #endif
             #if LIBCURL_VERSION_NUM >= 0x072f00
-            if (fileTransferSettings.enableHttp2)
+            if (fileTransferSettings.enableHttp2 && !request.negotiate)
                 curl_easy_setopt(req, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_2TLS);
             else
                 curl_easy_setopt(req, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
@@ -359,6 +359,12 @@ struct curlFileTransfer : public FileTransfer
                 curl_easy_setopt(req, CURLOPT_SSL_VERIFYHOST, 0);
             }
 
+            if (request.negotiate) {
+                curl_easy_setopt(req, CURLOPT_HTTPAUTH, CURLAUTH_NEGOTIATE);
+                curl_easy_setopt(req, CURLOPT_USERNAME, "");
+                curl_easy_setopt(req, CURLOPT_PASSWORD, "");
+            }
+
             curl_easy_setopt(req, CURLOPT_CONNECTTIMEOUT, fileTransferSettings.connectTimeout.get());
 
             curl_easy_setopt(req, CURLOPT_LOW_SPEED_LIMIT, 1L);
diff --git a/src/libstore/filetransfer.hh b/src/libstore/filetransfer.hh
index d836ab2c4..a30e89e28 100644
--- a/src/libstore/filetransfer.hh
+++ b/src/libstore/filetransfer.hh
@@ -64,6 +64,7 @@ struct FileTransferRequest
     std::string expectedETag;
     bool verifyTLS = true;
     bool head = false;
+    bool negotiate = false;
     size_t tries = fileTransferSettings.tries;
     unsigned int baseRetryTimeMs = 250;
     ActivityId parentAct;
diff --git a/src/libstore/http-binary-cache-store.cc b/src/libstore/http-binary-cache-store.cc
index fc7ac2dea..6096ac216 100644
--- a/src/libstore/http-binary-cache-store.cc
+++ b/src/libstore/http-binary-cache-store.cc
@@ -26,15 +26,13 @@ HttpBinaryCacheStoreConfig::HttpBinaryCacheStoreConfig(
         cacheUri.pop_back();
 }
 
-
 std::string HttpBinaryCacheStoreConfig::doc()
 {
     return
-      #include "http-binary-cache-store.md"
-      ;
+#include "http-binary-cache-store.md"
+        ;
 }
 
-
 class HttpBinaryCacheStore : public virtual HttpBinaryCacheStoreConfig, public virtual BinaryCacheStore
 {
 private:
@@ -143,10 +141,12 @@ protected:
 
     FileTransferRequest makeRequest(const std::string & path)
     {
-        return FileTransferRequest(
+        auto request = FileTransferRequest(
             hasPrefix(path, "https://") || hasPrefix(path, "http://") || hasPrefix(path, "file://")
             ? path
             : cacheUri + "/" + path);
+        request.negotiate = negotiate;
+        return request;
 
     }
 
diff --git a/src/libstore/http-binary-cache-store.hh b/src/libstore/http-binary-cache-store.hh
index d2fc43210..ea85398ca 100644
--- a/src/libstore/http-binary-cache-store.hh
+++ b/src/libstore/http-binary-cache-store.hh
@@ -10,6 +10,9 @@ struct HttpBinaryCacheStoreConfig : virtual BinaryCacheStoreConfig
 
     Path cacheUri;
 
+    const Setting<bool> negotiate{this, false, "negotiate",
+        "Whether to do kerberos negotiate when talking to the http binary cache."};
+
     const std::string name() override
     {
         return "HTTP Binary Cache Store";