diff --git a/deployment/ipa/ipaservices-baremetal-ansible.yaml b/deployment/ipa/ipaservices-baremetal-ansible.yaml
index e7aa753656..27a23e9f28 100644
--- a/deployment/ipa/ipaservices-baremetal-ansible.yaml
+++ b/deployment/ipa/ipaservices-baremetal-ansible.yaml
@@ -44,6 +44,10 @@ parameters:
     default: 'FILE:/etc/novajoin/krb5.keytab'
     description: keytab for the nova/[host fqdn] user on the FreeIPA server.
     type: string
+  IdMNovaCredentialCache:
+    default: '/etc/novajoin/krb5.cache'
+    description: credential cache for nova/[host fqdn] user
+    type: string
   MakeHomeDir:
     type: boolean
     description: Configure PAM to create a users home directory if it does not exist.
@@ -109,13 +113,13 @@ outputs:
                 tripleo_ipa_ptr_zone_split_ipv6: {get_param: IdMZoneSplitIPv6}
               when: {get_param: IdMModifyDNS}
           environment:
-            if:
-              - idm_server_provided
-              - IPA_HOST: {get_param: [IdMServer, 0]}
-                IPA_USER: "nova/{{ ansible_facts['fqdn'] }}"
-                KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
+            map_merge:
               - IPA_USER: "nova/{{ ansible_facts['fqdn'] }}"
                 KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
+                KRB5CCNAME: {get_param: IdMNovaCredentialCache}
+              - if:
+                - idm_server_provided
+                - IPA_HOST: {get_param: [IdMServer, 0]}
         - name: enroll the node as an ipa client
           #NOTE(xek): this is moved to external_deploy_tasks to make sure this happens before certificates are requested from certmonger
           when: step|int == 1