diff --git a/Documentation/op-guide/authentication.md b/Documentation/op-guide/authentication.md
index b8ab33ff77d..a528a8d04c4 100644
--- a/Documentation/op-guide/authentication.md
+++ b/Documentation/op-guide/authentication.md
@@ -161,4 +161,4 @@ Otherwise, all `etcdctl` commands remain the same. Users and roles can still be
 
 ## Using TLS Common Name
 
-If an etcd server is launched with the option `--client-cert-auth=true`, the field of Common Name (CN) in the client's TLS cert will be used as an etcd user. In this case, the common name authenticates the user and the client does not need a password.
+If an etcd server is launched with the option `--client-cert-auth=true`, the field of Common Name (CN) in the client's TLS cert will be used as an etcd user. In this case, the common name authenticates the user and the client does not need a password. Note that if both of 1. `--client-cert-auth=true` is passed and CN is provided by the client, and 2. username and password are provided by the client, the username and password based authentication is prioritized.
diff --git a/e2e/ctl_v3_auth_test.go b/e2e/ctl_v3_auth_test.go
index 3b2b74c5ef0..392c486e1e3 100644
--- a/e2e/ctl_v3_auth_test.go
+++ b/e2e/ctl_v3_auth_test.go
@@ -53,6 +53,9 @@ func TestCtlV3AuthEndpointHealth(t *testing.T) {
 	testCtl(t, authTestEndpointHealth, withQuorum())
 }
 func TestCtlV3AuthSnapshot(t *testing.T) { testCtl(t, authTestSnapshot) }
+func TestCtlV3AuthCertCNAndUsername(t *testing.T) {
+	testCtl(t, authTestCertCNAndUsername, withCfg(configClientTLSCertAuth))
+}
 
 func authEnableTest(cx ctlCtx) {
 	if err := authEnable(cx); err != nil {
@@ -560,17 +563,18 @@ func authTestMemberUpdate(cx ctlCtx) {
 }
 
 func authTestCertCN(cx ctlCtx) {
-	if err := ctlV3User(cx, []string{"add", "etcd", "--interactive=false"}, "User etcd created", []string{""}); err != nil {
+	if err := authEnable(cx); err != nil {
 		cx.t.Fatal(err)
 	}
-	if err := spawnWithExpect(append(cx.PrefixArgs(), "role", "add", "test-role"), "Role test-role created"); err != nil {
+
+	cx.user, cx.pass = "root", "root"
+	if err := ctlV3User(cx, []string{"add", "example.com", "--interactive=false"}, "User example.com created", []string{""}); err != nil {
 		cx.t.Fatal(err)
 	}
-	if err := ctlV3User(cx, []string{"grant-role", "etcd", "test-role"}, "Role test-role is granted to user etcd", nil); err != nil {
+	if err := spawnWithExpect(append(cx.PrefixArgs(), "role", "add", "test-role"), "Role test-role created"); err != nil {
 		cx.t.Fatal(err)
 	}
-	cmd := append(cx.PrefixArgs(), "role", "grant-permission", "test-role", "readwrite", "foo")
-	if err := spawnWithExpect(cmd, "Role test-role updated"); err != nil {
+	if err := ctlV3User(cx, []string{"grant-role", "example.com", "test-role"}, "Role test-role is granted to user example.com", nil); err != nil {
 		cx.t.Fatal(err)
 	}
 
@@ -582,13 +586,13 @@ func authTestCertCN(cx ctlCtx) {
 	// try a granted key
 	cx.user, cx.pass = "", ""
 	if err := ctlV3Put(cx, "hoo", "bar", ""); err != nil {
-		cx.t.Fatal(err)
+		cx.t.Error(err)
 	}
 
 	// try a non granted key
 	cx.user, cx.pass = "", ""
-	if err := ctlV3PutFailPerm(cx, "baz", "bar"); err == nil {
-		cx.t.Fatal(err)
+	if err := ctlV3PutFailPerm(cx, "baz", "bar"); err != nil {
+		cx.t.Error(err)
 	}
 }
 
@@ -960,3 +964,55 @@ func authTestEndpointHealth(cx ctlCtx) {
 		cx.t.Fatalf("endpointStatusTest ctlV3EndpointHealth error (%v)", err)
 	}
 }
+
+func authTestCertCNAndUsername(cx ctlCtx) {
+	if err := authEnable(cx); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	cx.user, cx.pass = "root", "root"
+	authSetupTestUser(cx)
+
+	if err := ctlV3User(cx, []string{"add", "example.com", "--interactive=false"}, "User example.com created", []string{""}); err != nil {
+		cx.t.Fatal(err)
+	}
+	if err := spawnWithExpect(append(cx.PrefixArgs(), "role", "add", "test-role-cn"), "Role test-role-cn created"); err != nil {
+		cx.t.Fatal(err)
+	}
+	if err := ctlV3User(cx, []string{"grant-role", "example.com", "test-role-cn"}, "Role test-role-cn is granted to user example.com", nil); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// grant a new key for CN based user
+	if err := ctlV3RoleGrantPermission(cx, "test-role-cn", grantingPerm{true, true, "hoo", "", false}); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// grant a new key for username based user
+	if err := ctlV3RoleGrantPermission(cx, "test-role", grantingPerm{true, true, "bar", "", false}); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// try a granted key for CN based user
+	cx.user, cx.pass = "", ""
+	if err := ctlV3Put(cx, "hoo", "bar", ""); err != nil {
+		cx.t.Error(err)
+	}
+
+	// try a granted key for username based user
+	cx.user, cx.pass = "test-user", "pass"
+	if err := ctlV3Put(cx, "bar", "bar", ""); err != nil {
+		cx.t.Error(err)
+	}
+
+	// try a non granted key for both of them
+	cx.user, cx.pass = "", ""
+	if err := ctlV3PutFailPerm(cx, "baz", "bar"); err != nil {
+		cx.t.Error(err)
+	}
+
+	cx.user, cx.pass = "test-user", "pass"
+	if err := ctlV3PutFailPerm(cx, "baz", "bar"); err != nil {
+		cx.t.Error(err)
+	}
+}
diff --git a/etcdserver/v3_server.go b/etcdserver/v3_server.go
index 451d3de4132..1f24f272faa 100644
--- a/etcdserver/v3_server.go
+++ b/etcdserver/v3_server.go
@@ -686,12 +686,14 @@ func (s *EtcdServer) linearizableReadNotify(ctx context.Context) error {
 }
 
 func (s *EtcdServer) AuthInfoFromCtx(ctx context.Context) (*auth.AuthInfo, error) {
-	if s.Cfg.ClientCertAuthEnabled {
-		authInfo := s.AuthStore().AuthInfoFromTLS(ctx)
-		if authInfo != nil {
-			return authInfo, nil
-		}
+	authInfo, err := s.AuthStore().AuthInfoFromCtx(ctx)
+	if authInfo != nil || err != nil {
+		return authInfo, err
+	}
+	if !s.Cfg.ClientCertAuthEnabled {
+		return nil, nil
 	}
+	authInfo = s.AuthStore().AuthInfoFromTLS(ctx)
+	return authInfo, nil
 
-	return s.AuthStore().AuthInfoFromCtx(ctx)
 }