ThevCenter Single Sign-On token policy specifies the clock tolerance, renewal count, and other token properties. You can edit the vCenter Single Sign-On token policy to ensure that the token specification conforms to your corporation's security standards.
- Log in to the vSphere Web Client.
- Select Configuration. , and select
- Click the Policies tab and select Token Policy.
The vSphere Web Client displays the current configuration settings. If you have not modified the default settings, vCenter Single Sign-On uses them.
- Edit the token policy configuration parameters.
Option Description Clock tolerance Time difference, in milliseconds, that vCenter Single Sign-On tolerates between a client clock and the domain controller clock. If the time difference is greater than the specified value, vCenter Single Sign-On declares the token invalid. Maximum token renewal count Maximum number of times that a token can be renewed. After the maximum number of renewal attempts, a new security token is required. Maximum token delegation count Holder-of-key tokens can be delegated to services in the vSphere environment. A service that uses a delegated token performs the service on behalf of the principal that provided the token. A token request specifies a DelegateTo identity. The DelegateTo value can either be a solution token or a reference to a solution token. This value specifies how many times a single holder-of-key token can be delegated. Maximum bearer token lifetime Bearer tokens provide authentication based only on possession of the token. Bearer tokens are intended for short-term, single-operation use. A bearer token does not verify the identity of the user or entity that is sending the request. This value specifies the lifetime value of a bearer token before the token has to be reissued. Maximum holder-of-key token lifetime Holder-of-key tokens provide authentication based on security artifacts that are embedded in the token. Holder-of-key tokens can be used for delegation. A client can obtain a holder-of-key token and delegate that token to another entity. The token contains the claims to identify the originator and the delegate. In the vSphere environment, a vCenter Server system obtains delegated tokens on a user's behalf and uses those tokens to perform operations.
This value determines the lifetime of a holder-of-key token before the token is marked invalid.
- Click OK.