diff --git a/files/kcadm-wrapper.sh b/files/kcadm-wrapper.sh
new file mode 100644
index 00000000..d8d8acbf
--- /dev/null
+++ b/files/kcadm-wrapper.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# shellcheck source=/dev/null
+. /opt/keycloak/conf/kcadm-wrapper.conf
+
+EXPIRES=$(/usr/bin/sed  -n -r 's|.*"refreshExpiresAt" : ([0-9]*).*|\1|p' "$CONFIG" 2>/dev/null || echo "0")
+NOW=$(/usr/bin/date +%s%3N)
+
+if [ ! -f "$CONFIG" ] || [ "$EXPIRES" -lt "$NOW" ]; then
+    ${KCADM} config credentials --config "$CONFIG" --server "$SERVER" --realm "$REALM" --user "$ADMIN_USER" --password "$PASSWORD"
+fi
+
+${KCADM} "$@" --config "$CONFIG"
diff --git a/manifests/config.pp b/manifests/config.pp
index 4a3d66d1..de09dc95 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -9,18 +9,33 @@
     }
   }
 
-  # Template uses:
-  # - $keycloak::install_base
-  # - $keycloak::admin_user
-  # - $keycloak::admin_user_password
+  $wrapper_conf = {
+    'KCADM'      => "${keycloak::install_base}/bin/kcadm.sh",
+    'CONFIG'     => $keycloak::login_config,
+    'SERVER'     => $keycloak::wrapper_server,
+    'REALM'      => 'master',
+    'ADMIN_USER' => $keycloak::admin_user,
+    'PASSWORD'   => $keycloak::admin_user_password,
+  }
+  file { 'kcadm-wrapper.conf':
+    ensure    => 'file',
+    path      => $keycloak::wrapper_conf,
+    owner     => $keycloak::user,
+    group     => $keycloak::group,
+    mode      => '0640',
+    content   => epp('keycloak/shell_vars.epp', { 'vars' => $wrapper_conf }),
+    show_diff => false,
+  }
+
   file { 'kcadm-wrapper.sh':
     ensure    => 'file',
     path      => $keycloak::wrapper_path,
     owner     => $keycloak::user,
     group     => $keycloak::group,
     mode      => '0750',
-    content   => template('keycloak/kcadm-wrapper.sh.erb'),
+    source    => 'puppet:///modules/keycloak/kcadm-wrapper.sh',
     show_diff => false,
+    require   => File['kcadm-wrapper.conf'],
   }
 
   file { $keycloak::conf_dir:
diff --git a/manifests/init.pp b/manifests/init.pp
index 39be3920..429ceb39 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -240,7 +240,7 @@
   Optional[Stdlib::Absolutepath] $service_environment_file = undef,
   Stdlib::Filemode $conf_dir_mode = '0755',
   Boolean $conf_dir_purge = true,
-  Array $conf_dir_purge_ignore = ['cache-ispn.xml', 'README.md', 'truststore.jks'],
+  Array $conf_dir_purge_ignore = ['cache-ispn.xml', 'README.md', 'truststore.jks', 'kcadm.config'],
   Keycloak::Configs $configs = {},
   Hash[String, Variant[String[1],Boolean,Array]] $extra_configs = {},
   Variant[Stdlib::Host, Stdlib::HTTPUrl, Stdlib::HTTPSUrl, Enum['unset','UNSET']] $hostname = $facts['networking']['fqdn'],
@@ -330,6 +330,8 @@
   $tmp_dir = "${install_base}/tmp"
   $providers_dir = "${install_base}/providers"
   $wrapper_path = "${keycloak::install_base}/bin/kcadm-wrapper.sh"
+  $wrapper_conf = "${conf_dir}/kcadm-wrapper.conf"
+  $login_config = "${conf_dir}/kcadm.config"
 
   $default_config = {
     'hostname' => $hostname,
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
index ede1c65e..1f1605e9 100644
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@@ -121,8 +121,9 @@
             owner: 'keycloak',
             group: 'keycloak',
             mode: '0750',
-            content: %r{.*},
+            source: 'puppet:///modules/keycloak/kcadm-wrapper.sh',
             show_diff: 'false',
+            require: 'File[kcadm-wrapper.conf]',
           )
         end
 
diff --git a/templates/kcadm-wrapper.sh.erb b/templates/kcadm-wrapper.sh.erb
deleted file mode 100644
index d627f8ce..00000000
--- a/templates/kcadm-wrapper.sh.erb
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-
-KCADM="<%= scope['keycloak::install_base'] %>/bin/kcadm.sh"
-
-${KCADM} "$@" --no-config --server '<%= scope['keycloak::wrapper_server'] %>' --realm master --user '<%= scope['keycloak::admin_user'] %>' --password '<%= scope['keycloak::admin_user_password'] %>'
diff --git a/templates/keycloak.service.erb b/templates/keycloak.service.erb
index 88d8a0c5..393a76ac 100644
--- a/templates/keycloak.service.erb
+++ b/templates/keycloak.service.erb
@@ -21,6 +21,10 @@ Environment='JAVA_HOME=<%= scope['keycloak::java_home'] %>'
 User=<%= scope['keycloak::user'] %>
 Group=<%= scope['keycloak::group'] %>
 ExecStart=<%= scope['keycloak::service_start_cmd'] %>
+# TODO: remove once upgraded from Keycloak 25 to 26
+<% unless (scope['keycloak::features'] || []).include?('persistent-user-sessions') -%>
+ExecStartPost=-/usr/bin/rm -f <%= scope['keycloak::login_config'] %>
+<% end -%>
 TimeoutStartSec=600
 TimeoutStopSec=600
 SuccessExitStatus=0 143
diff --git a/templates/shell_vars.epp b/templates/shell_vars.epp
new file mode 100644
index 00000000..662c896a
--- /dev/null
+++ b/templates/shell_vars.epp
@@ -0,0 +1,8 @@
+<%- |
+  Hash[String, String] $vars
+| -%>
+# This file is managed by Puppet, DO NOT EDIT
+
+<% $vars.each |$key, $value| { -%>
+<%= $key %>='<%= $value %>'
+<% } -%>