You can join a Platform Services Controller appliance or a vCenter Server Appliance with an embedded Platform Services Controller to an Active Directory domain. You can attach the users and groups from this Active Directory domain to your vCenter Single Sign-On domain.

1. Use the vSphere Web Client to log in as administrator@your_domain_name to the vSphere Web Client instance in the vCenter Server Appliance.
   The address is of the type http:// appliance-IP-address-or-FQDN/vsphere-client.
2. On the vSphere Web Client, click Deployment > Administration > Nodes.
3. Select a node, and click the Manage tab.
4. Select Active Directory, and click Join.
5. Enter the Active Directory details.

   Option	Description
   Domain	Active Directory domain name, for example, mydomain.com. Do not provide an IP address in this text box.
   Organizational unit	Optional. The full OU LDAP FQDN, for example, OU=Engineering,DC=mydomain,DC=com. Important: Use this text box only if you are familiar with LDAP.
   User name	User name in User Principal Name (UPN) format, for example, [email protected]. Important: Down-level login name format, for example, DOMAIN\UserName, is unsupported.
   Password	Password of the user.

6. Click OK to join the vCenter Server Appliance to the Active Directory domain.
   The operation silently succeeds and you can see the Join button turned to Leave.
7. Right-click the node you edited and select Reboot to restart the appliance so that the changes are applied.
   Important: If you do not restart the appliance, you might encounter problems when using the vSphere Web Client.
8. Navigate to Administration > Single Sign-On > Configuration.
9. On the Identity Sources tab, click the Add Identity Source icon.
10. Select Active Directory (Integrated Windows Authentication), enter the identity source settings of the joined Active Directory domain, and click OK.

    Table 1. Add Identity Source Settings

    Text Box	Description
    Domain name	FDQN of the domain. Do not provide an IP address in this text box.
    Use machine account	Select this option to use the local machine account as the SPN. When you select this option, you specify only the domain name. Do not select this option if you expect to rename this machine.
    Use Service Principal Name (SPN)	Select this option if you expect to rename the local machine. You must specify an SPN, a user who can authenticate with the identity source, and a password for the user.
    Service Principal Name (SPN)	SPN that helps Kerberos to identify the Active Directory service. Include the domain in the name, for example, STS/example.com. You might have to run setspn -S to add the user you want to use. See the Microsoft documentation for information on setspn. The SPN must be unique across the domain. Running setspn -S checks that no duplicate is created.
    User Principal Name (UPN)	Name of a user who can authenticate with this identity source. Use the email address format, for example, [email protected]. You can verify the User Principal Name with the Active Directory Service Interfaces Editor (ADSI Edit).
    Password	Password for the user who is used to authenticate with this identity source, which is the user who is specified in User Principal Name. Include the domain name, for example, [email protected].