diff --git a/library/ipajoin.py b/library/ipajoin.py
index efb72ddafc0e4b0d44cf5acc8239e48cf009e5c3..1ae9ff1a1df1c8cb34d2723060be5acf613cbf83 100644
--- a/library/ipajoin.py
+++ b/library/ipajoin.py
@@ -231,7 +231,7 @@ def main():
 
     options.ca_cert_file = ca_cert_file
     options.unattended = True
-    options.principal = principal
+    options.principal = principal if principal != "" else None
     options.force = False
     options.password = password
 
diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index 2d148c36ea883bb01671d472f6d12c1e673e0840..9380c3dc0c7948e875211a641058398274b0de5f 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -55,7 +55,7 @@
 
 - name: Install - Check if one of password and keytab are set
   fail: msg="At least one of password or keytab must be specified"
-  when: ipaclient_password is undefined and ipaclient_keytab is undefined
+  when: ipaclient_password is undefined and ipaclient_keytab is undefined or ipaclient_password == "" or ipaclient_keytab == ""
 
 - name: Install - Join IPA
   ipajoin:
@@ -66,7 +66,7 @@
     basedn: "{{ ipadiscovery.basedn }}"
     hostname: "{{ ipadiscovery.hostname }}"
     force_join: "{{ ipaclient_force_join | default(omit) }}"
-    principal: "{{ ipaclient_principal | default(omit) }}"
+    principal: "{{ ipaclient_principal if not ipaclient_use_otp | bool else '' }}"
     password: "{{ ipaclient_password | default(omit) }}"
     keytab: "{{ ipaclient_keytab | default(omit) }}"
     #ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"