diff --git a/keystoneclient/middleware/auth_token.py b/keystoneclient/middleware/auth_token.py
index 084d6f2ce..f5181d3f9 100644
--- a/keystoneclient/middleware/auth_token.py
+++ b/keystoneclient/middleware/auth_token.py
@@ -333,9 +333,7 @@ class AuthProtocol(object):
         http_connect_timeout_cfg = self._conf_get('http_connect_timeout')
         self.http_connect_timeout = (http_connect_timeout_cfg and
                                      int(http_connect_timeout_cfg))
-
-        # Determine the highest api version we can use.
-        self.auth_version = self._choose_api_version()
+        self.auth_version = None
 
     def _assert_valid_memcache_protection_config(self):
         if self._memcache_security_strategy:
@@ -982,6 +980,10 @@ class AuthProtocol(object):
         :raise ServiceError if unable to authenticate token
 
         """
+        # Determine the highest api version we can use.
+        if not self.auth_version:
+            self.auth_version = self._choose_api_version()
+
         if self.auth_version == 'v3.0':
             headers = {'X-Auth-Token': self.get_admin_token(),
                        'X-Subject-Token': safe_quote(user_token)}
diff --git a/tests/test_auth_token_middleware.py b/tests/test_auth_token_middleware.py
index cc730a7cf..17bd2aa9a 100644
--- a/tests/test_auth_token_middleware.py
+++ b/tests/test_auth_token_middleware.py
@@ -542,6 +542,13 @@ class v3FakeHTTPConnection(FakeHTTPConnection):
         self.resp = FakeHTTPResponse(status, body)
 
 
+class RaisingHTTPConnection(FakeHTTPConnection):
+    """ An HTTPConnection that always raises."""
+
+    def request(self, method, path, **kwargs):
+        raise AssertionError("HTTP request was called.")
+
+
 class FakeApp(object):
     """This represents a WSGI app protected by the auth_token middleware."""
     def __init__(self, expected_env=None):
@@ -788,6 +795,14 @@ class DiabloAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest):
 
 class AuthTokenMiddlewareTest(test.NoModule, BaseAuthTokenMiddlewareTest):
 
+    def test_init_does_not_call_http(self):
+        conf = {
+            'auth_host': 'keystone.example.com',
+            'auth_port': 1234
+        }
+        self.set_fake_http(RaisingHTTPConnection)
+        self.set_middleware(conf=conf, fake_http=RaisingHTTPConnection)
+
     def assert_valid_last_url(self, token_id):
         # Default version (v2) has id in the token, override this
         # method for v3 and other versions