If you select the Active Directory (Integrated Windows Authentication) identity source type, you can use the local machine account as your SPN (Service Principal Name) or specify an SPN explicitly. You can use this option only if the vCenter Single Sign-On server is joined to an Active Directory domain.
Prerequisites for Using an Active Directory (Integrated Windows Authentication) Identity Source
You can set up vCenter Single Sign-On to use an Active Directory (Integrated Windows Authentication) identity source only if that identity source is available. Follow the instructions in the vCenter Server Configuration documentation.
Select Use machine account to speed up configuration. If you expect to rename the local machine on which vCenter Single Sign-On runs, specifying an SPN explicitly is preferable.
If you have enabled diagnostic event logging in your Active Directory to identify where hardening might be needed, you might see a log event with Event ID 2889 on that directory server. Event ID 2889 is generated as an anomaly rather than a security risk when using Integrated Windows Authentication. For more information about Event ID 2889, see the VMware knowledge base article at https://kb.vmware.com/s/article/78644.
Text Box | Description |
---|---|
Domain name | FQDN of the domain name, for example, mydomain.com. Do not provide an IP address. This domain name must be DNS-resolvable by the vCenter Server system. |
Use machine account | Select this option to use the local machine account as the SPN. When you select this option, you specify only the domain name. Do not select this option if you expect to rename this machine. |
Use Service Principal Name (SPN) | Select this option if you expect to rename the local machine. You must specify an SPN, a user who can authenticate with the identity source, and a password for the user. |
Service Principal Name (SPN) | SPN that helps Kerberos to identify the Active Directory service. Include the domain in the name, for example, STS/example.com. The SPN must be unique across the domain. Running the setspn -S command checks that no duplicate is created. See the Microsoft documentation for information on setspn. |
User Principal Name (UPN) Password |
Name and password of a user who can authenticate with this identity source. Use the email address format, for example, [email protected]. You can verify the User Principal Name with the Active Directory Service Interfaces Editor (ADSI Edit). |