The vCenter Single Sign-On token policy specifies token properties such as the clock tolerance and renewal count. You can edit the token policy to ensure that the token specification conforms to security standards in your corporation.


  1. From a Web browser, connect to the vSphere Web Client or the Platform Services Controller.



    vSphere Web Client


    Platform Services Controller


    In an embedded deployment, the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address.

  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.

    If you specified a different domain during installation, log in as administrator@mydomain.

  3. Navigate to the vCenter Single Sign-On configuration UI.



    vSphere Web Client

    1. From the Home menu, select Administration.

    2. Under Single Sign-On, click Configuration.

    Platform Services Controller

    Click Single Sign-On and click Configuration.

  4. Click the Policies tab and select Token Policy.

    The vSphere Web Client displays the current configuration settings. If you have not modified the default settings, vCenter Single Sign-On uses them.

  5. Edit the token policy configuration parameters.



    Clock tolerance

    Time difference, in milliseconds, that vCenter Single Sign-On tolerates between a client clock and the domain controller clock. If the time difference is greater than the specified value, vCenter Single Sign-On declares the token invalid.

    Maximum token renewal count

    Maximum number of times that a token can be renewed. After the maximum number of renewal attempts, a new security token is required.

    Maximum token delegation count

    Holder-of-key tokens can be delegated to services in the vSphere environment. A service that uses a delegated token performs the service on behalf of the principal that provided the token. A token request specifies a DelegateTo identity. The DelegateTo value can either be a solution token or a reference to a solution token. This value specifies how many times a single holder-of-key token can be delegated.

    Maximum bearer token lifetime

    Bearer tokens provide authentication based only on possession of the token. Bearer tokens are intended for short-term, single-operation use. A bearer token does not verify the identity of the user or entity that is sending the request. This value specifies the lifetime value of a bearer token before the token has to be reissued.

    Maximum holder-of-key token lifetime

    Holder-of-key tokens provide authentication based on security artifacts that are embedded in the token. Holder-of-key tokens can be used for delegation. A client can obtain a holder-of-key token and delegate that token to another entity. The token contains the claims to identify the originator and the delegate. In the vSphere environment, a vCenter Server system obtains delegated tokens on a user's behalf and uses those tokens to perform operations.

    This value determines the lifetime of a holder-of-key token before the token is marked invalid.

  6. Click OK.