diff --git a/rhodecode/config/deployment.ini_tmpl b/rhodecode/config/deployment.ini_tmpl
--- a/rhodecode/config/deployment.ini_tmpl
+++ b/rhodecode/config/deployment.ini_tmpl
@@ -51,6 +51,7 @@ cut_off_limit = 256000
 force_https = false 
 commit_parse_limit = 50
 use_gravatar = true
+container_auth_enabled = false
 
 ####################################
 ###        CELERY CONFIG        ####
diff --git a/rhodecode/lib/auth.py b/rhodecode/lib/auth.py
--- a/rhodecode/lib/auth.py
+++ b/rhodecode/lib/auth.py
@@ -235,12 +235,12 @@ class  AuthUser(object):
     in
     """
 
-    def __init__(self, user_id=None, api_key=None):
+    def __init__(self, user_id=None, api_key=None, username=None):
 
         self.user_id = user_id
         self.api_key = None
 
-        self.username = 'None'
+        self.username = 'None' if username is None else username
         self.name = ''
         self.lastname = ''
         self.email = ''
@@ -253,23 +253,37 @@ class  AuthUser(object):
     def propagate_data(self):
         user_model = UserModel()
         self.anonymous_user = user_model.get_by_username('default', cache=True)
+        is_user_loaded = False
         if self._api_key and self._api_key != self.anonymous_user.api_key:
             #try go get user by api key
             log.debug('Auth User lookup by API KEY %s', self._api_key)
             user_model.fill_data(self, api_key=self._api_key)
-        else:
+            is_user_loaded = True
+        elif self.user_id is not None \
+            and self.user_id != self.anonymous_user.user_id:
             log.debug('Auth User lookup by USER ID %s', self.user_id)
-            if self.user_id is not None \
-                and self.user_id != self.anonymous_user.user_id:
-                user_model.fill_data(self, user_id=self.user_id)
+            user_model.fill_data(self, user_id=self.user_id)
+            is_user_loaded = True
+        elif self.username != 'None':
+            #Removing realm from username
+            self.username = self.username.partition('@')[0]
+
+            log.debug('Auth User lookup by USER NAME %s', self.username)
+            dbuser = user_model.get_by_username(self.username)
+            if dbuser is not None and dbuser.active:
+                for k, v in dbuser.get_dict().items():
+                    setattr(self, k, v)
+                self.set_authenticated()
+                is_user_loaded = True
+
+        if not is_user_loaded:
+            if self.anonymous_user.active is True:
+                user_model.fill_data(self,
+                                     user_id=self.anonymous_user.user_id)
+                #then we set this user is logged in
+                self.is_authenticated = True
             else:
-                if self.anonymous_user.active is True:
-                    user_model.fill_data(self,
-                                         user_id=self.anonymous_user.user_id)
-                    #then we set this user is logged in
-                    self.is_authenticated = True
-                else:
-                    self.is_authenticated = False
+                self.is_authenticated = False
 
         log.debug('Auth User is now %s', self)
         user_model.fill_perms(self)
diff --git a/rhodecode/lib/base.py b/rhodecode/lib/base.py
--- a/rhodecode/lib/base.py
+++ b/rhodecode/lib/base.py
@@ -9,6 +9,9 @@ from pylons.controllers import WSGIContr
 from pylons.controllers.util import redirect
 from pylons.templating import render_mako as render
 
+from paste.deploy.converters import asbool
+from paste.httpheaders import REMOTE_USER
+
 from rhodecode import __version__
 from rhodecode.lib.auth import AuthUser
 from rhodecode.lib.utils import get_repo_slug
@@ -43,8 +46,14 @@ class BaseController(WSGIController):
             # putting this here makes sure that we update permissions each time
             api_key = request.GET.get('api_key')
             user_id = getattr(session.get('rhodecode_user'), 'user_id', None)
-            self.rhodecode_user = c.rhodecode_user = AuthUser(user_id, api_key)
-            self.rhodecode_user.set_authenticated(
+            if asbool(config.get('container_auth_enabled', False)):
+                username = REMOTE_USER(environ)
+            else:
+                username = None
+
+            self.rhodecode_user = c.rhodecode_user = AuthUser(user_id, api_key, username)
+            if not self.rhodecode_user.is_authenticated:
+                self.rhodecode_user.set_authenticated(
                                         getattr(session.get('rhodecode_user'),
                                        'is_authenticated', False))
             session['rhodecode_user'] = self.rhodecode_user
diff --git a/rhodecode/lib/middleware/simplehg.py b/rhodecode/lib/middleware/simplehg.py
--- a/rhodecode/lib/middleware/simplehg.py
+++ b/rhodecode/lib/middleware/simplehg.py
@@ -128,9 +128,12 @@ class SimpleHg(object):
                 #==============================================================
 
                 if self.action in ['pull', 'push']:
-                    username = REMOTE_USER(environ)
+                    #Removing realm from username
+                    username = REMOTE_USER(environ).partition('@')[0]
                     try:
                         user = self.__get_user(username)
+                        if user is None:
+                            return HTTPForbidden()(environ, start_response)
                         self.username = user.username
                     except:
                         log.error(traceback.format_exc())