diff --git a/roles/ipaclient/library/ipaclient_join.py b/roles/ipaclient/library/ipaclient_join.py
index 5b58858d..a11f3f25 100644
--- a/roles/ipaclient/library/ipaclient_join.py
+++ b/roles/ipaclient/library/ipaclient_join.py
@@ -161,8 +161,7 @@ def main():
     kinit_attempts = module.params.get('kinit_attempts')
     debug = module.params.get('debug')
 
-    if password is not None and password != "" and \
-       keytab is not None and keytab != "":
+    if password is not None and keytab is not None:
         module.fail_json(msg="Password and keytab cannot be used together")
 
     client_domain = hostname[hostname.find(".")+1:]
@@ -174,7 +173,7 @@ def main():
 
     options.ca_cert_file = ca_cert_file
     options.unattended = True
-    options.principal = principal if principal != "" else None
+    options.principal = principal
     options.force = False
     options.password = password
 
@@ -207,7 +206,7 @@ def main():
             env['XMLRPC_TRACE_CURL'] = 'yes'
         if force_join:
             join_args.append("-f")
-        if principal:
+        if principal is not None:
             if principal.find('@') == -1:
                 principal = '%s@%s' % (principal, realm)
             try:
diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index 0098af8b..74b3ea14 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -115,7 +115,7 @@
       no_log: yes
       ipaclient_get_otp:
         state: present
-        principal: "{{ ipaadmin_principal | default('admin') }}"
+        principal: "{{ ipaadmin_principal | default(omit) }}"
         password: "{{ ipaadmin_password | default(omit) }}"
         keytab: "{{ ipaadmin_keytab | default(omit) }}"
         fqdn: "{{ result_ipaclient_test.hostname }}"
@@ -150,14 +150,13 @@
 
     - name: Install - Check if principal and keytab are set
       fail: msg="Principal and keytab cannot be used together"
-      when: ipaadmin_principal is defined and ipaadmin_principal|length > 0
-            and ipaclient_keytab is defined and ipaclient_keytab|length > 0
+      when: ipaadmin_principal is defined and ipaclient_keytab is defined
 
-    - name: Install - Check if one of password and keytab are set
-      fail: msg="At least one of password or keytab must be specified"
-      when: not result_ipaclient_test_keytab.krb5_keytab_ok and
-            (ipaadmin_password is undefined or ipaadmin_password|length == 0)
-            and (ipaclient_keytab is undefined or ipaclient_keytab|length == 0)
+    - name: Install - Check if one of password or keytabs are set
+      fail: msg="At least one of password or keytabs must be specified"
+      when: not result_ipaclient_test_keytab.krb5_keytab_ok
+            and ipaadmin_password is undefined
+            and ipaclient_keytab is undefined
     when: not ipaclient_on_master | bool
 
   - name: Install - Purge {{ result_ipaclient_test.realm }} from host keytab
@@ -188,7 +187,7 @@
       hostname: "{{ result_ipaclient_test.hostname }}"
       force_join: "{{ ipaclient_force_join | default(omit) }}"
       principal: "{{ ipaadmin_principal if not ipaclient_use_otp | bool and
-                     ipaclient_keytab is not defined else '' }}"
+                     ipaclient_keytab is not defined else omit }}"
       password: "{{ ipaadmin_password | default(omit) }}"
       keytab: "{{ ipaclient_keytab | default(omit) }}"
       # ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"