diff --git a/roles/koji_hub/tasks/main.yml b/roles/koji_hub/tasks/main.yml
index 4970e2ef61..6cbdb567b0 100644
--- a/roles/koji_hub/tasks/main.yml
+++ b/roles/koji_hub/tasks/main.yml
@@ -77,6 +77,20 @@
   - config
   - koji_hub
 
+#
+# install keytabs
+#
+
+- name: install koji-hub keytab
+  when: env == "staging"
+  copy: src={{ private }}/files/keytabs/{{ env }}/koji-hub dest=/etc/koji-hub/koji-hub.keytab
+        owner=apache group=apache mode=0600
+  notify:
+  - reload httpd
+  tags:
+  - config
+  -koji_hub
+
 #
 # install production certs and keys
 #
diff --git a/roles/koji_hub/templates/hub.conf.j2 b/roles/koji_hub/templates/hub.conf.j2
index eb28987754..abe650cd15 100644
--- a/roles/koji_hub/templates/hub.conf.j2
+++ b/roles/koji_hub/templates/hub.conf.j2
@@ -20,6 +20,13 @@ KojiDir = /mnt/koji
 MemoryWarnThreshold = 10000
 MaxRequestLength = 83886080
 
+{% if env == "staging" %}
+# Kerb auth
+
+AuthPrincipal = host/koji.stg.fedoraproject.org
+AuthKeytab = /etc/koji-hub/koji-hub.keytab
+
+{% endif %}
 ##  SSL client certificate auth configuration  ##
 #note: ssl auth may also require editing the httpd config (conf.d/kojihub.conf)