Joining VCSA 5.5 to AD Domain with Secure Token Service (STS)

The easiest choice is:

1. Active Directory with (Integrated Windows Authentication)

a. Use the Machine name.

” If you’re adding AD authentication, simply make sure the VCSA is added to the domain, then use Integrated Windows Authentication using the computer account. Couldn’t be simpler.”

Normally, you would do the above.

I had some problem with this as the error messaged stated the VCSA was improperly joined to the domain. I had to remove and rejoin, without success. So eventually I explored another method.


Following KB: 2058298 “Creating and using a Service Principal Account in vCenter Single Sign-On 5.5”
Service Principal Account (SPN) is a new feature in vCenter Single Sign-On (SSO) 5.5. The SPN account acts as the Secure Token Service (STS) for token issuing.
This article provides steps to configure and use a SPN when creating an Active Directory Identity Source for SSO 5.5.
1. verify domain
C:\>echo %UserDNSDomain%
You see output similar to:
Type setspn -Q sts/DNS_domain_name and press Enter. This verifies that no other SPNs have been created on this domain.
For example:
C:\>setspn -Q STS/
You see output similar to:
No such SPN Found.
Note: If a SPN is found, consult your Active Directory administrator.
(Here I created a SSOServiceAccount set to domain admin)
Next step is to setspn
C:\>setspn -S STS/ SSOServiceAccount
From here you “Set the Active Directory Identity Source with SSO 5.5”
Creating an Active Directory Identity Source for use with SSO 5.5

To create an Active Directory (Integrated Windows Authentication) Identity Source:
Log in to the vSphere Web Client as administrator@vsphere.local or as another user with SSO administrator privileges. The default vSphere Web Client URL is:


Navigate to Administration > Single Sign-On > Configuration.
In the Identity Sources tab, click the Add Identity Source icon (Add Identity Source icon) under the option menu.
Click Active Directory (Integrated Windows Authentication).

Select the Use SPN option.
Enter this information:

Domain name: DNS_Domain_name
Service Principal Name (SPN): STS/DNS_Domain_name
User Principal Name (UPN): Domain User assigned
Password: Password

For example:

Domain name:
Service Principal Name (SPN): STS/
User Principal Name (UPN):
Password: WelcomeToSSO55

And there you have can now log onto SSO and you will be able to see the AD you joined in the SSO. Delegate SSO Admin Rights (in the web client “vCenter Users and Groups”. Add AD groups to Administrator group.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.