diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index f57b02854dfc1d2d7582db7ee591f189c01a8a62..20be7648571e7f6949d2d47c102d40c6d9e456fc 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -55,6 +55,9 @@
   # If a keytab is specified in the hostent, then the hostent will be disabled
   # if ipaclient_use_otp is set.
   - block:
+    - fail: msg="Keytab or password is required for otp"
+      when: ipaadmin_keytab is undefined and ipaadmin_password is undefined
+
     - name: Install - Get a One-Time Password for client enrollment
       no_log: yes
       ipahost: