diff --git a/roles/ipaserver/library/ipaserver_set_ds_password.py b/roles/ipaserver/library/ipaserver_set_ds_password.py
index f339fbc48ffe1c918b6d56908d2af715b8b40bb7..2dd9a7839785ecb6f9b1e5d3d285833efab1e98f 100644
--- a/roles/ipaserver/library/ipaserver_set_ds_password.py
+++ b/roles/ipaserver/library/ipaserver_set_ds_password.py
@@ -131,7 +131,8 @@ from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_server import (
     check_imports,
     MAX_DOMAIN_LEVEL, AnsibleModuleLog, options, sysrestore, paths,
-    api_Backend_ldap2, ds_init_info, redirect_stdout, setup_logging
+    api_Backend_ldap2, ds_init_info, redirect_stdout, setup_logging,
+    krbinstance, service
 )
 
 
@@ -221,6 +222,16 @@ def main():
     with redirect_stdout(ansible_log):
         ds.change_admin_password(options.admin_password)
 
+    # Force KDC to refresh the cached value of ipaKrbAuthzData by restarting.
+    # ipaKrbAuthzData has to be set with "MS-PAC" to trigger PAC generation,
+    # which is required to handle S4U2Proxy with the Bronze-Bit fix.
+    # Not doing so would cause API malfunction for around a minute, which is
+    # long enough to cause the hereafter client installation to fail.
+    krb = krbinstance.KrbInstance(fstore)
+    krb.set_output(ansible_log)
+    service.print_msg("Restarting the KDC")
+    krb.restart()
+
     # done ##########################################################
 
     ansible_module.exit_json(changed=True)