The easiest choice is:
1. Active Directory with (Integrated Windows Authentication)
a. Use the Machine name.
” If you’re adding AD authentication, simply make sure the VCSA is added to the domain, then use Integrated Windows Authentication using the computer account. Couldn’t be simpler.”
Normally, you would do the above.
I had some problem with this as the error messaged stated the VCSA was improperly joined to the domain. I had to remove and rejoin, without success. So eventually I explored another method.
C:\>setspn -Q STS/child-domain.vmware.com
No such SPN Found.
Note: If a SPN is found, consult your Active Directory administrator.
C:\>setspn -S STS/child-domain.vmware.com SSOServiceAccount
To create an Active Directory (Integrated Windows Authentication) Identity Source:
Log in to the vSphere Web Client as email@example.com or as another user with SSO administrator privileges. The default vSphere Web Client URL is:
Navigate to Administration > Single Sign-On > Configuration.
In the Identity Sources tab, click the Add Identity Source icon (Add Identity Source icon) under the option menu.
Click Active Directory (Integrated Windows Authentication).
Enter this information:
Domain name: DNS_Domain_name
Service Principal Name (SPN): STS/DNS_Domain_name
User Principal Name (UPN): Domain User assigned SPN@DNS_Domain_name.com
Domain name: child-domain.vmware.com
Service Principal Name (SPN): STS/child-domain.vmware.com
User Principal Name (UPN): SSOServiceAccount@child-domain.vmware.com
And there you have it..you can now log onto SSO and you will be able to see the AD you joined in the SSO. Delegate SSO Admin Rights (in the web client “vCenter Users and Groups”. Add AD groups to Administrator group.