diff --git a/playbooks/groups/ipa.yml b/playbooks/groups/ipa.yml
index 795bab5630..edb1bc022d 100644
--- a/playbooks/groups/ipa.yml
+++ b/playbooks/groups/ipa.yml
@@ -76,6 +76,15 @@
     tags:
     - krb5
     - ipa/server
+    - config
+  - name: Make IPA HTTP use the id.fp.o client keytab
+    lineinfile: dest=/etc/httpd/conf.d/ipa.conf
+                regexp='GssapiCredStore client_keytab:'
+                line='  GssapiCredStore client_keytab:/etc/krb5.HTTP_id{{env_suffix}}.fedoraproject.org.keytab'
+    tags:
+    - krb5
+    - ipa/server
+    - config
 
 - name: do base role once more to revert any resolvconf changes
   hosts: ipa:ipa-stg
diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml
index fa89da9813..77821b77cf 100644
--- a/roles/ipa/server/tasks/main.yml
+++ b/roles/ipa/server/tasks/main.yml
@@ -230,3 +230,21 @@
   register: grant_repl_status_output
   changed_when: "'Type or value exists' not in grant_repl_status_output.stderr"
   failed_when: "'Type or value exists' not in grant_repl_status_output.stderr and 'modifying entry' not in grant_repl_status_output.stdout"
+
+# Make some httpd changes
+- name: Configure referer override
+  template: src=referer-override.conf
+            dest=/etc/httpd/conf.d/referer-override.conf
+  notify:
+  - reload apache
+  tags:
+  - ipa/server
+  - config
+
+- name: Update xmlrpc_uri
+    lineinfile: dest=/etc/ipa/default.conf
+                regexp='xmlrpc_uri ='
+                line='xmlrpc_uri = https://id{{env_suffix}}.fedoraproject.org/ipa/xml'
+    tags:
+    - ipa/server
+    - config
diff --git a/roles/ipa/server/templates/referer-override.conf b/roles/ipa/server/templates/referer-override.conf
new file mode 100644
index 0000000000..fc05a48e03
--- /dev/null
+++ b/roles/ipa/server/templates/referer-override.conf
@@ -0,0 +1,2 @@
+SetEnvIf Referer "https://id{{env_suffix}}.fedoraproject.org/ipa" HAVE_CORRECT_REFERER
+RequestHeader set Referer "https://{{inventory_hostname}}/ipa" env=HAVE_CORRECT_REFERER