If you select the Active Directory (Integrated Windows Authentication) identity source type, you can either use the local machine account as your SPN (Service Principal Name) or specify an SPN explicitly.

Select Use machine account to speed up configuration. If you expect to rename the local machine on which vCenter Single Sign-On runs, specifying an SPN explicitly is preferable.

Table 1. Add Identity Source Settings

Field

Description

Domain name

FDQN of the domain. Do not provide an IP address in this field.

Use machine account

Select this option to use the local machine account as the SPN. When you select this option, you specify only the domain name. Do not select this option if you expect to rename this machine.

Use SPN

Select this option if you expect to rename the local machine. You must specify an SPN, a user who can authenticate with the identity source, and a password for the user.

Service Principal

SPN that helps Kerberos to identify the Active Directory service. Include the domain in the name, for example, STS/example.com.

You might have to run setspn -S to add the user you want to use. See the Microsoft documentation for information on setspn.

The SPN must be unique across the domain. Running setspn -S checks that no duplicate is created.

User Principal Name

Name of a user who can authenticate with this identity source. Use the email address format, for example, jchin@mydomain.com. You can verify the User Principal Name with the Active Directory Service Interfaces Editor (ADSI Edit).

Password

Password for the user who is used to authenticate with this identity source, which is the user who is specified in User Principal Name. Include the domain name, for example, jdoe@example.com.