diff --git a/contrail/environment/modules/contrail/manifests/config.pp b/contrail/environment/modules/contrail/manifests/config.pp
index a7e68d06..14cb9eda 100644
--- a/contrail/environment/modules/contrail/manifests/config.pp
+++ b/contrail/environment/modules/contrail/manifests/config.pp
@@ -116,6 +116,11 @@
 #     If Rabbitmq is running on a different server, specify its IP address here.
 #     (optional) - Defaults to "".
 #
+# [*openstack_mgmt_ip*]
+#     Management interface address of openstack node (if management and control are separate
+#     interfaces on that node)
+#     (optional) - Defaults to "", meaning use openstack_ip.
+#
 # [*internal_vip*]
 #     Virtual mgmt IP address for openstack modules
 #     (optional) - Defaults to ""
@@ -196,6 +201,7 @@
     $manage_neutron = $::contrail::params::manage_neutron,
     $openstack_manage_amqp = $::contrail::params::openstack_manage_amqp,
     $amqp_server_ip = $::contrail::params::amqp_server_ip,
+    $openstack_mgmt_ip = $::contrail::params::openstack_mgmt_ip_list_to_use[0],
     $internal_vip = $::contrail::params::internal_vip,
     $external_vip = $::contrail::params::external_vip,
     $contrail_internal_vip = $::contrail::params::contrail_internal_vip,
@@ -440,6 +446,13 @@
 	content => template("$module_name/contrail-api.conf.erb"),
     }
     ->
+    file { "/etc/contrail/contrail-keystone-auth.conf" :
+	ensure  => present,
+	require => Package["contrail-openstack-config"],
+	notify =>  Service["supervisor-config"],
+	content => template("$module_name/contrail-keystone-auth.conf.erb"),
+    }
+    ->
     file { "/etc/contrail/contrail-schema.conf" :
 	ensure  => present,
 	require => Package["contrail-openstack-config"],
diff --git a/contrail/environment/modules/contrail/manifests/params.pp b/contrail/environment/modules/contrail/manifests/params.pp
index e02c9172..734862f6 100644
--- a/contrail/environment/modules/contrail/manifests/params.pp
+++ b/contrail/environment/modules/contrail/manifests/params.pp
@@ -453,7 +453,7 @@
     $keystone_admin_tenant = "admin",
     $keystone_service_tenant = "services",
     $keystone_region_name = "RegionOne",
-    $multi_tenancy = false,
+    $multi_tenancy = true,
     $zookeeper_ip_list = undef,
     $quantum_port = "9697",
     $quantum_service_protocol = "http",
diff --git a/contrail/environment/modules/contrail/manifests/provision_contrail.pp b/contrail/environment/modules/contrail/manifests/provision_contrail.pp
index 165786dd..c4a1d7e8 100644
--- a/contrail/environment/modules/contrail/manifests/provision_contrail.pp
+++ b/contrail/environment/modules/contrail/manifests/provision_contrail.pp
@@ -54,7 +54,7 @@
 #     (optional) - Defaults to "".
 #
 class contrail::provision_contrail (
-    $keystone_admin_tenant = $::contrail::params::keystone_admin_tenent,
+    $keystone_admin_tenant = $::contrail::params::keystone_admin_tenant,
     $keystone_admin_user = $::contrail::params::keystone_admin_user,
     $keystone_admin_password = $::contrail::params::keystone_admin_password,
     $encap_priority = $::contrail::params::encap_priority,
diff --git a/contrail/environment/modules/contrail/templates/contrail-keystone-auth.conf.erb b/contrail/environment/modules/contrail/templates/contrail-keystone-auth.conf.erb
new file mode 100644
index 00000000..ab75729e
--- /dev/null
+++ b/contrail/environment/modules/contrail/templates/contrail-keystone-auth.conf.erb
@@ -0,0 +1,16 @@
+[KEYSTONE]
+<% if @keystone_ip != "" -%>
+auth_host=<%= @keystone_ip %>
+<% elsif @internal_vip != "" -%>
+auth_host=<%= @internal_vip %>
+<% else -%>
+auth_host=<%= @openstack_ip %>
+<% end -%>
+auth_protocol=<%= @keystone_auth_protocol %>
+auth_port=<%= @keystone_auth_port %>
+admin_user=<%= @keystone_admin_user %>
+admin_password=<%= @keystone_admin_password %>
+admin_token=<%= @keystone_service_token %>
+admin_tenant_name=<%= @keystone_admin_tenant %>
+insecure=<%= keystone_insecure_flag %>
+<%= memcached_opt %>