diff --git a/jupyterhub/app.py b/jupyterhub/app.py
index 678a96c4..010f91b8 100644
--- a/jupyterhub/app.py
+++ b/jupyterhub/app.py
@@ -677,6 +677,7 @@ class JupyterHub(Application):
             self.authenticator.normalize_username(name)
             for name in self.authenticator.admin_users
         ]
+        self.authenticator.admin_users = set(admin_users) # force normalization
         for username in admin_users:
             if not self.authenticator.validate_username(username):
                 raise ValueError("username %r is not valid" % username)
@@ -704,6 +705,7 @@ class JupyterHub(Application):
             self.authenticator.normalize_username(name)
             for name in self.authenticator.whitelist
         ]
+        self.authenticator.whitelist = set(whitelist) # force normalization
         for username in whitelist:
             if not self.authenticator.validate_username(username):
                 raise ValueError("username %r is not valid" % username)
@@ -719,24 +721,21 @@ class JupyterHub(Application):
                 new_users.append(user)
                 db.add(user)
 
-        if whitelist:
-            # fill the whitelist with any users loaded from the db,
-            # so we are consistent in both directions.
-            # This lets whitelist be used to set up initial list,
-            # but changes to the whitelist can occur in the database,
-            # and persist across sessions.
-            for user in db.query(orm.User):
-                self.authenticator.whitelist.add(user.name)
+        db.commit()
+
+        # Notify authenticator of all users.
+        # This ensures Auth whitelist is up-to-date with the database.
+        # This lets whitelist be used to set up initial list,
+        # but changes to the whitelist can occur in the database,
+        # and persist across sessions.
+        for user in db.query(orm.User):
+            yield gen.maybe_future(self.authenticator.add_user(user))
+        db.commit() # can add_user touch the db?
 
         # The whitelist set and the users in the db are now the same.
         # From this point on, any user changes should be done simultaneously
         # to the whitelist set and user db, unless the whitelist is empty (all users allowed).
 
-        db.commit()
-        
-        for user in new_users:
-            yield gen.maybe_future(self.authenticator.add_user(user))
-        db.commit()
     
     @gen.coroutine
     def init_spawners(self):
diff --git a/jupyterhub/handlers/base.py b/jupyterhub/handlers/base.py
index b7977ea4..0fad0d63 100644
--- a/jupyterhub/handlers/base.py
+++ b/jupyterhub/handlers/base.py
@@ -200,6 +200,7 @@ class BaseHandler(RequestHandler):
             self.db.add(u)
             self.db.commit()
             user = self._user_from_orm(u)
+            self.authenticator.add_user(user)
         return user
     
     def clear_login_cookie(self, name=None):
diff --git a/jupyterhub/tests/test_pages.py b/jupyterhub/tests/test_pages.py
index 48085c62..f597944e 100644
--- a/jupyterhub/tests/test_pages.py
+++ b/jupyterhub/tests/test_pages.py
@@ -222,6 +222,16 @@ def test_logout(app):
     assert r.cookies == {}
 
 
+def test_login_no_whitelist_adds_user(app):
+    auth = app.authenticator
+    mock_add_user = mock.Mock()
+    with mock.patch.object(auth, 'add_user', mock_add_user):
+        cookies = app.login_user('jubal')
+
+    user = app.users['jubal']
+    assert mock_add_user.mock_calls == [mock.call(user)]
+
+
 def test_static_files(app):
     base_url = ujoin(public_url(app), app.hub.server.base_url)
     print(base_url)