diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
index 55916c05e22de..afa04d7cad7d6 100644
--- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
+++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -111,6 +111,10 @@ public function load(array $configs, ContainerBuilder $container)
         $loader->load('security_rememberme.xml');
 
         if ($this->authenticatorManagerEnabled = $config['enable_authenticator_manager']) {
+            if ($config['always_authenticate_before_granting']) {
+                throw new InvalidConfigurationException('The security option "always_authenticate_before_granting" cannot be used when "enable_authenticator_manager" is set to true. If you rely on this behavior, set it to false.');
+            }
+
             $loader->load('security_authenticator.xml');
 
             // The authenticator system no longer has anonymous tokens. This makes sure AccessListener
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php
index da09e432a0234..c9328c841df86 100644
--- a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php
+++ b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php
@@ -505,6 +505,21 @@ public function provideEntryPointRequiredData()
         ];
     }
 
+    public function testAlwaysAuthenticateBeforeGrantingCannotBeTrueWithAuthenticationManager()
+    {
+        $this->expectException(InvalidConfigurationException::class);
+        $this->expectExceptionMessage('The security option "always_authenticate_before_granting" cannot be used when "enable_authenticator_manager" is set to true. If you rely on this behavior, set it to false.');
+
+        $container = $this->getRawContainer();
+        $container->loadFromExtension('security', [
+            'enable_authenticator_manager' => true,
+            'always_authenticate_before_granting' => true,
+            'firewalls' => ['main' => []],
+        ]);
+
+        $container->compile();
+    }
+
     protected function getRawContainer()
     {
         $container = new ContainerBuilder();
diff --git a/src/Symfony/Component/Security/Http/Authentication/NoopAuthenticationManager.php b/src/Symfony/Component/Security/Http/Authentication/NoopAuthenticationManager.php
index 9e75ff9998c01..7be2e221037bd 100644
--- a/src/Symfony/Component/Security/Http/Authentication/NoopAuthenticationManager.php
+++ b/src/Symfony/Component/Security/Http/Authentication/NoopAuthenticationManager.php
@@ -29,5 +29,6 @@ class NoopAuthenticationManager implements AuthenticationManagerInterface
 {
     public function authenticate(TokenInterface $token)
     {
+        return $token;
     }
 }