diff --git a/src/core/security/client_auth_filter.c b/src/core/security/client_auth_filter.c
index 332d4259d2843fee3f8cf013339beb83f1859c6f..b0c2bb0aa5852ce777add9e7f1c2fc26a24dfb08 100644
--- a/src/core/security/client_auth_filter.c
+++ b/src/core/security/client_auth_filter.c
@@ -172,7 +172,7 @@ static void send_security_metadata(grpc_exec_ctx *exec_ctx,
     calld->creds = grpc_composite_call_credentials_create(channel_call_creds,
                                                           ctx->creds, NULL);
     if (calld->creds == NULL) {
-      bubble_up_error(exec_ctx, elem, GRPC_STATUS_INVALID_ARGUMENT,
+      bubble_up_error(exec_ctx, elem, GRPC_STATUS_INTERNAL,
                       "Incompatible credentials set on channel and call.");
       return;
     }
@@ -201,7 +201,7 @@ static void on_host_checked(grpc_exec_ctx *exec_ctx, void *user_data,
     char *error_msg;
     gpr_asprintf(&error_msg, "Invalid host %s set in :authority metadata.",
                  grpc_mdstr_as_c_string(calld->host));
-    bubble_up_error(exec_ctx, elem, GRPC_STATUS_INVALID_ARGUMENT, error_msg);
+    bubble_up_error(exec_ctx, elem, GRPC_STATUS_INTERNAL, error_msg);
     gpr_free(error_msg);
   }
 }
diff --git a/src/core/surface/secure_channel_create.c b/src/core/surface/secure_channel_create.c
index cc752227ee796b7f9670fa56a8a1504952cefb9f..82bf2134b9f5928b7c4f13d9a3782c82a7b649b4 100644
--- a/src/core/surface/secure_channel_create.c
+++ b/src/core/surface/secure_channel_create.c
@@ -267,7 +267,7 @@ grpc_channel *grpc_secure_channel_create(grpc_channel_credentials *creds,
     gpr_log(GPR_ERROR, "Cannot set security context in channel args.");
     grpc_exec_ctx_finish(&exec_ctx);
     return grpc_lame_client_channel_create(
-        target, GRPC_STATUS_INVALID_ARGUMENT,
+        target, GRPC_STATUS_INTERNAL,
         "Security connector exists in channel args.");
   }
 
@@ -276,8 +276,7 @@ grpc_channel *grpc_secure_channel_create(grpc_channel_credentials *creds,
       GRPC_SECURITY_OK) {
     grpc_exec_ctx_finish(&exec_ctx);
     return grpc_lame_client_channel_create(
-        target, GRPC_STATUS_INVALID_ARGUMENT,
-        "Failed to create security connector.");
+        target, GRPC_STATUS_INTERNAL, "Failed to create security connector.");
   }
 
   connector_arg = grpc_security_connector_to_arg(&security_connector->base);
diff --git a/test/core/end2end/tests/bad_hostname.c b/test/core/end2end/tests/bad_hostname.c
index 14587389c7cda1c8e5604475a85ecf3e3b2c5946..c9141c0b3c81d3c809bbdfbdd3406f8066e9b05d 100644
--- a/test/core/end2end/tests/bad_hostname.c
+++ b/test/core/end2end/tests/bad_hostname.c
@@ -36,13 +36,13 @@
 #include <stdio.h>
 #include <string.h>
 
-#include "src/core/support/string.h"
 #include <grpc/byte_buffer.h>
 #include <grpc/grpc.h>
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
 #include <grpc/support/time.h>
 #include <grpc/support/useful.h>
+#include "src/core/support/string.h"
 #include "test/core/end2end/cq_verifier.h"
 
 enum { TIMEOUT = 200000 };
@@ -152,7 +152,7 @@ static void simple_request_body(grpc_end2end_test_fixture f) {
   cq_expect_completion(cqv, tag(1), 1);
   cq_verify(cqv);
 
-  GPR_ASSERT(status == GRPC_STATUS_INVALID_ARGUMENT);
+  GPR_ASSERT(status == GRPC_STATUS_INTERNAL);
 
   gpr_free(details);
   grpc_metadata_array_destroy(&initial_metadata_recv);