diff --git a/keystone/tests/test_backend.py b/keystone/tests/test_backend.py
index c6bcd32e84..caf33a6324 100644
--- a/keystone/tests/test_backend.py
+++ b/keystone/tests/test_backend.py
@@ -61,6 +61,15 @@ def test_project_add_and_remove_user_role(self):
             self.tenant_bar['id'])
         self.assertNotIn(self.user_two['id'], user_ids)
 
+    def test_remove_user_role_not_assigned(self):
+        # Expect failure if attempt to remove a role that was never assigned to
+        # the user.
+        self.assertRaises(exception.RoleNotFound,
+                          self.identity_api.remove_role_from_user_and_project,
+                          tenant_id=self.tenant_bar['id'],
+                          user_id=self.user_two['id'],
+                          role_id=self.role_other['id'])
+
     def test_authenticate_bad_user(self):
         self.assertRaises(AssertionError,
                           self.identity_api.authenticate,
diff --git a/keystone/tests/test_backend_ldap.py b/keystone/tests/test_backend_ldap.py
index 12833af4b6..5c20b4ea37 100644
--- a/keystone/tests/test_backend_ldap.py
+++ b/keystone/tests/test_backend_ldap.py
@@ -870,6 +870,14 @@ def test_list_projects_for_alternate_domain(self):
         self.skipTest(
             'N/A: LDAP does not support multiple domains')
 
+    def test_remove_user_role_not_assigned(self):
+        # This raises exception as expected with SQL assignment backend but
+        # not with LDAP (see bug #1242855)
+        self.identity_api.remove_role_from_user_and_project(
+            tenant_id=self.tenant_bar['id'],
+            user_id=self.user_two['id'],
+            role_id=self.role_other['id'])
+
 
 class LDAPIdentityEnabledEmulation(LDAPIdentity):
     def setUp(self):