diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
index 5113396c60f..d747f89cbf5 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
@@ -6,6 +6,7 @@
 package org.elasticsearch.shield.authc;
 
 import org.elasticsearch.ElasticsearchSecurityException;
+import org.elasticsearch.Version;
 import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.component.AbstractComponent;
@@ -224,6 +225,8 @@ public class InternalAuthenticationService extends AbstractComponent implements
         try {
             byte[] bytes = Base64.decode(text);
             StreamInput input = StreamInput.wrap(bytes);
+            Version version = Version.readVersion(input);
+            input.setVersion(version);
             return User.readFrom(input);
         } catch (IOException ioe) {
             throw authenticationError("could not read authenticated user", ioe);
@@ -233,6 +236,7 @@ public class InternalAuthenticationService extends AbstractComponent implements
     static String encodeUser(User user, ESLogger logger) {
         try {
             BytesStreamOutput output = new BytesStreamOutput();
+            Version.writeVersion(Version.CURRENT, output);
             User.writeTo(user, output);
             byte[] bytes = output.bytes().toBytes();
             return Base64.encodeBytes(bytes);
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java
index 2238f67ed75..c3e832807b3 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java
@@ -7,6 +7,8 @@ package org.elasticsearch.shield.authc;
 
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.ElasticsearchSecurityException;
+import org.elasticsearch.Version;
+import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.io.stream.BytesStreamOutput;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.settings.Settings;
@@ -750,6 +752,15 @@ public class InternalAuthenticationServiceTests extends ESTestCase {
         }
     }
 
+    public void testVersionWrittenWithUser() throws Exception {
+        User user = new User("username", "r1", "r2", "r3");
+        String text = InternalAuthenticationService.encodeUser(user, null);
+
+        StreamInput input = StreamInput.wrap(Base64.decode(text));
+        Version version = Version.readVersion(input);
+        assertThat(version, is(Version.CURRENT));
+    }
+
     private static class InternalMessage extends TransportMessage {
     }
 }