diff --git a/lib/service/service.go b/lib/service/service.go
index 250f7f264d1f7..91a3d7f04d0e1 100644
--- a/lib/service/service.go
+++ b/lib/service/service.go
@@ -6136,11 +6136,7 @@ func warnOnErr(ctx context.Context, err error, log *slog.Logger) {
 func (process *TeleportProcess) initAuthStorage() (backend.Backend, error) {
 	ctx := context.TODO()
 	bc := process.Config.Auth.StorageConfig
-	process.logger.DebugContext(process.ExitContext(), "Initializing auth backend.",
-		"backend", process.Config.Auth.StorageConfig.Type,
-		"type", bc.Type,
-		"params", bc.Params,
-	)
+	process.logger.DebugContext(process.ExitContext(), "Initializing auth backend.", "type", bc.Type)
 	bk, err := backend.New(ctx, bc.Type, bc.Params)
 	if err != nil {
 		return nil, trace.Wrap(err)
diff --git a/lib/service/service_test.go b/lib/service/service_test.go
index e1e746b109d62..ec596200d1edc 100644
--- a/lib/service/service_test.go
+++ b/lib/service/service_test.go
@@ -195,7 +195,6 @@ func TestDynamicClientReuse(t *testing.T) {
 	cfg.DiagnosticAddr = utils.NetAddr{AddrNetwork: "tcp", Addr: "127.0.0.1:0"}
 	cfg.SetAuthServerAddress(utils.NetAddr{AddrNetwork: "tcp", Addr: "127.0.0.1:0"})
 	cfg.Auth.Enabled = true
-	// cfg.Auth.StorageConfig.Params[defaults.BackendPath] = filepath.Join(cfg.DataDir, "backend")
 	cfg.Auth.ListenAddr = utils.NetAddr{AddrNetwork: "tcp", Addr: "127.0.0.1:0"}
 	cfg.Auth.SessionRecordingConfig.SetMode(types.RecordOff)
 	cfg.Proxy.Enabled = true
diff --git a/lib/service/servicecfg/config.go b/lib/service/servicecfg/config.go
index 3db417e3d83da..9807bba0019b2 100644
--- a/lib/service/servicecfg/config.go
+++ b/lib/service/servicecfg/config.go
@@ -555,7 +555,6 @@ func ApplyDefaults(cfg *Config) {
 	cfg.Auth.Enabled = true
 	cfg.Auth.ListenAddr = *defaults.AuthListenAddr()
 	cfg.Auth.StorageConfig.Type = lite.GetName()
-	cfg.Auth.StorageConfig.Params = backend.Params{defaults.BackendPath: filepath.Join(cfg.DataDir, defaults.BackendDir)}
 	cfg.Auth.StaticTokens = types.DefaultStaticTokens()
 	cfg.Auth.AuditConfig = types.DefaultClusterAuditConfig()
 	cfg.Auth.NetworkingConfig = types.DefaultClusterNetworkingConfig()
@@ -657,6 +656,15 @@ func ValidateConfig(cfg *Config) error {
 		return trace.BadParameter("config: please supply data directory")
 	}
 
+	if cfg.Auth.Enabled {
+		if cfg.Auth.StorageConfig.Params.GetString(defaults.BackendPath) == "" {
+			if cfg.Auth.StorageConfig.Params == nil {
+				cfg.Auth.StorageConfig.Params = make(backend.Params)
+			}
+			cfg.Auth.StorageConfig.Params[defaults.BackendPath] = filepath.Join(cfg.DataDir, defaults.BackendDir)
+		}
+	}
+
 	for i := range cfg.Auth.Authorities {
 		if err := services.ValidateCertAuthority(cfg.Auth.Authorities[i]); err != nil {
 			return trace.Wrap(err)
@@ -671,16 +679,6 @@ func ValidateConfig(cfg *Config) error {
 
 	cfg.SSH.Namespace = types.ProcessNamespace(cfg.SSH.Namespace)
 
-	// If we've overridden the process's data dir, but left auth's backend
-	// pointing at the default data dir this is probably a test that forgot
-	// to customize the auth storage config. Fix it.
-	if cfg.Auth.Enabled && cfg.Auth.StorageConfig.Type == lite.GetName() {
-		storagePath := cfg.Auth.StorageConfig.Params.GetString(defaults.BackendPath)
-		if storagePath == filepath.Join(defaults.DataDir, defaults.BackendDir) && cfg.DataDir != defaults.DataDir {
-			cfg.Auth.StorageConfig.Params[defaults.BackendPath] = filepath.Join(cfg.DataDir, defaults.BackendDir)
-		}
-	}
-
 	return nil
 }