diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 5f49c952b3b..14bf8b4fdde 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -1006,6 +1006,8 @@ Release 2.8.0 - UNRELEASED
     HADOOP-12780. During atomic rename handle crash when one directory has been
     renamed but not file under it. (Madhumita Chakraborty via cnauroth)
 
+    HADOOP-12878. KMS SPNEGO sequence does not work with WEBHDFS. (xyao)
+
 Release 2.7.3 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
index 9c381814891..a73eda6893a 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
@@ -397,11 +397,15 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
                     KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
             new EncryptedQueueRefiller());
     authToken = new DelegationTokenAuthenticatedURL.Token();
-    actualUgi =
-        (UserGroupInformation.getCurrentUser().getAuthenticationMethod() ==
-        UserGroupInformation.AuthenticationMethod.PROXY) ? UserGroupInformation
-            .getCurrentUser().getRealUser() : UserGroupInformation
-            .getCurrentUser();
+    UserGroupInformation.AuthenticationMethod authMethod =
+        UserGroupInformation.getCurrentUser().getAuthenticationMethod();
+    if (authMethod == UserGroupInformation.AuthenticationMethod.PROXY) {
+      actualUgi = UserGroupInformation.getCurrentUser().getRealUser();
+    } else if (authMethod == UserGroupInformation.AuthenticationMethod.TOKEN) {
+      actualUgi = UserGroupInformation.getLoginUser();
+    } else {
+      actualUgi =UserGroupInformation.getCurrentUser();
+    }
   }
 
   private static Path extractKMSPath(URI uri) throws MalformedURLException, IOException {