diff --git a/management/server/account.go b/management/server/account.go
index 23f03015e..9c6da05bd 100644
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -1439,29 +1439,14 @@ func (am *DefaultAccountManager) updateAccountDomainAttributes(account *Account,
 }
 
 // handleExistingUserAccount handles existing User accounts and update its domain attributes.
-//
-// If there is no primary domain account yet, we set the account as primary for the domain. Otherwise,
-// we compare the account's ID with the domain account ID, and if they don't match, we set the account as
-// non-primary account for the domain. We don't merge accounts at this stage, because of cases when a domain
-// was previously unclassified or classified as public so N users that logged int that time, has they own account
-// and peers that shouldn't be lost.
 func (am *DefaultAccountManager) handleExistingUserAccount(
 	existingAcc *Account,
-	domainAcc *Account,
+	primaryDomain bool,
 	claims jwtclaims.AuthorizationClaims,
 ) error {
-	var err error
-
-	if domainAcc != nil && existingAcc.Id != domainAcc.Id {
-		err = am.updateAccountDomainAttributes(existingAcc, claims, false)
-		if err != nil {
-			return err
-		}
-	} else {
-		err = am.updateAccountDomainAttributes(existingAcc, claims, true)
-		if err != nil {
-			return err
-		}
+	err := am.updateAccountDomainAttributes(existingAcc, claims, primaryDomain)
+	if err != nil {
+		return err
 	}
 
 	// we should register the account ID to this user's metadata in our IDP manager
@@ -1795,12 +1780,33 @@ func (am *DefaultAccountManager) getAccountWithAuthorizationClaims(claims jwtcla
 
 	account, err := am.Store.GetAccountByUser(claims.UserId)
 	if err == nil {
-		err = am.handleExistingUserAccount(account, domainAccount, claims)
+		unlockAccount := am.Store.AcquireAccountLock(account.Id)
+		defer unlockAccount()
+		account, err = am.Store.GetAccountByUser(claims.UserId)
+		if err != nil {
+			return nil, err
+		}
+		// If there is no primary domain account yet, we set the account as primary for the domain. Otherwise,
+		// we compare the account's ID with the domain account ID, and if they don't match, we set the account as
+		// non-primary account for the domain. We don't merge accounts at this stage, because of cases when a domain
+		// was previously unclassified or classified as public so N users that logged int that time, has they own account
+		// and peers that shouldn't be lost.
+		primaryDomain := domainAccount == nil || account.Id == domainAccount.Id
+
+		err = am.handleExistingUserAccount(account, primaryDomain, claims)
 		if err != nil {
 			return nil, err
 		}
 		return account, nil
 	} else if s, ok := status.FromError(err); ok && s.Type() == status.NotFound {
+		if domainAccount != nil {
+			unlockAccount := am.Store.AcquireAccountLock(domainAccount.Id)
+			defer unlockAccount()
+			domainAccount, err = am.Store.GetAccountByPrivateDomain(claims.Domain)
+			if err != nil {
+				return nil, err
+			}
+		}
 		return am.handleNewUserAccount(domainAccount, claims)
 	} else {
 		// other error