diff --git a/inventory/group_vars/buildarm b/inventory/group_vars/buildarm
index a301a99860..58fa54060f 100644
--- a/inventory/group_vars/buildarm
+++ b/inventory/group_vars/buildarm
@@ -3,7 +3,7 @@ fas_client_groups: sysadmin-releng
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 ansible_ifcfg_blacklist: true
 
-krb_builder: False
+krb_builder: True
 
 koji_server_url: "http://koji.fedoraproject.org/kojihub"
 koji_weburl: "http:/koji.fedoraproject.org/koji"
diff --git a/playbooks/groups/ipa.yml b/playbooks/groups/ipa.yml
index a1d30e30f7..15bf106502 100644
--- a/playbooks/groups/ipa.yml
+++ b/playbooks/groups/ipa.yml
@@ -42,6 +42,29 @@
 
   roles:
   - ipa/server
+  - role: keytab/service
+    owner_user: apache
+    owner_group: apache
+    service: HTTP
+    host: "id.stg.fedoraproject.org"
+    when: env == "staging"
+  - role: keytab/service
+    owner_user: apache
+    owner_group: apache
+    service: HTTP
+    host: "id.fedoraproject.org"
+    when: env == "production"
+
+  tasks:
+  - name: Make symlink for keytab
+    file: state=link path=/etc/httpd/conf/ipa.keytab force=yes
+          src="/etc/krb5.HTTP_id{{env_suffix}}.fedoraproject.org.keytab"
+    notify:
+    - reload httpd
+    tags:
+    - ipa/server
+    - krb5
+    when: env == "staging"
 
   handlers:
   - include: "{{ handlers }}/restart_services.yml"
diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml
index 558f5f4146..a45c74d3c8 100644
--- a/playbooks/include/proxies-reverseproxy.yml
+++ b/playbooks/include/proxies-reverseproxy.yml
@@ -174,6 +174,14 @@
     proxyurl: http://localhost:10053
     when: env == "staging"
 
+  - role: httpd/reverseproxy
+    website: id.stg.fedoraproject.org
+    destname: 00-ipa
+    remotepath: /ipa
+    localpath: /ipa
+    proxyurl: http://localhost:10053
+    when: env == "staging"
+
   - role: httpd/reverseproxy
     website: id.fedoraproject.org
     destname: id
@@ -188,6 +196,14 @@
     proxyurl: http://localhost:10053
     when: env != "staging"
 
+  - role: httpd/reverseproxy
+    website: id.fedoraproject.org
+    destname: 00-ipa
+    remotepath: /ipa
+    localpath: /ipa
+    proxyurl: http://localhost:10053
+    when: env != "staging"
+
   - role: httpd/reverseproxy
     website: apps.fedoraproject.org
     destname: datagrepper
diff --git a/roles/base/templates/krb5.conf.master.j2 b/roles/base/templates/krb5.conf.master.j2
index a6d5219bd8..65f022748e 100644
--- a/roles/base/templates/krb5.conf.master.j2
+++ b/roles/base/templates/krb5.conf.master.j2
@@ -16,6 +16,10 @@ includedir /var/lib/sss/pubconf/krb5.include.d/
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true
+{% if env == "staging"
+ dns_canonicalize_hostname = false
+ rdns = false
+{% endif %}
 
 [realms]
 {% if env == "production" %}
diff --git a/roles/fas_server/templates/fas.cfg.j2 b/roles/fas_server/templates/fas.cfg.j2
index 7ce14dfc2a..752d30522e 100644
--- a/roles/fas_server/templates/fas.cfg.j2
+++ b/roles/fas_server/templates/fas.cfg.j2
@@ -62,13 +62,14 @@ tgcaptcha2.jpeg_generator = 'vanasco_dowty'
 ###
 ipa_sync_enabled = True
 ipa_sync_keytab = '/etc/fas_sync_keytab'
-ipa_sync_certfile = '/etc/fas_sync_cert.pem'
 {% if env == "staging" %}
 ipa_sync_principal = 'fas_sync@STG.FEDORAPROJECT.ORG'
-ipa_sync_server = 'ipa01.stg.phx2.fedoraproject.org'
+ipa_sync_server = 'id.stg.phx2.fedoraproject.org'
+ipa_sync_certfile = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem'
 {% else %}
 ipa_sync_principal = 'fas_sync@FEDORAPROJECT.ORG'
 ipa_sync_server = 'ipa01.phx2.fedoraproject.org'
+ipa_sync_certfile = '/etc/fas_sync_cert.pem'
 {% endif %}
 
 ###
diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg
index 772859b6b6..56c88afa1f 100644
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@@ -332,7 +332,7 @@ listen  ipa 0.0.0.0:10053
 {% if env != "staging" %}
     server  ipa02 ipa02:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/ipa.pem
 {% endif %}
-    option  httpchk GET /
+    option  httpchk GET /ipa/ui/
 
 listen krb5 0.0.0.0:1088
     mode tcp
diff --git a/roles/ipa/server/files/ipa-rewrite.conf b/roles/ipa/server/files/ipa-rewrite.conf
new file mode 100644
index 0000000000..12722ee807
--- /dev/null
+++ b/roles/ipa/server/files/ipa-rewrite.conf
@@ -0,0 +1 @@
+# VERSION 6 - DO NOT REMOVE THIS LINE
diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml
index 87cdaf05fa..fa89da9813 100644
--- a/roles/ipa/server/tasks/main.yml
+++ b/roles/ipa/server/tasks/main.yml
@@ -121,6 +121,14 @@
   - config
   when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists
 
+- name: Disable rewrites
+  copy: src=ipa-rewrite.conf dest=/etc/httpd/conf.d/ipa-rewrite.conf
+  notify:
+  - reload httpd
+  tags:
+  - ipa/server
+  - config
+
 - name: Deploy configuration script
   copy: src=configure-ipa.sh dest=/root/configure-ipa.sh mode=0700 owner=root group=root
   register: config_deployed