Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Creating and using a Service Principal Account in vCenter Single Sign-On 5.5 (2058298)

Purpose

Service Principal Account (SPN) is a new feature in vCenter Single Sign-On (SSO) 5.5. The SPN account acts as the Secure Token Service (STS) for token issuing.
 
This article provides steps to configure and use a SPN when creating an Active Directory Identity Source for SSO 5.5.

Note: Only a single SPN for an Identity Source is required.

Resolution

Prerequisites for creating and using an SPN in SSO 5.5 :

To be able to create and use an SPN in SSO 5.5, ensure that:

  • There are two domain accounts:

    • A domain Account with domain administrator privileges is required when assigning a SPN to an account.
    • A domain Account with domain user privileges is a minimum requirement for the account to be used as the SPN account.

  • You have access to vCenter Server running on a Windows platform or a Windows system connected to the same domain as vCenter Server Appliance.
  • An SPN does not already exist on the account to be used.

    To verify that an SPN does not already exist on the account to be used:
  1. Log in to vCenter Server using a domain administrator account.

    Note: If using the vCenter Server Appliance 5.1 (VCSA), these actions can be performed on a Windows workstation joined to the same domain as the VCSA.

  2. Open an elevated command prompt. For more information, see Opening a command or shell prompt (1003892).
  3. Type echo %UserDNSDomain%and press Enter. This echoes the DNS domain name in which the current Windows system resides.

    For example:

    C:\>echo %UserDNSDomain%

    You see output similar to:

    child-domain.vmware.com

  4. Type setspn -Q sts/DNS_domain_name and press Enter. This verifies that no other SPNs have been created on this domain.

    For example:

    C:\>setspn -Q STS/child-domain.vmware.com

    You see output similar to:

    No such SPN Found.


    Note: If a SPN is found, consult your Active Directory administrator.

Creating an SPN for use with SSO 5.5

To create an SPN for use with Single Sign-On 5.5:
  1. Log in to vCenter Server using a domain administrator account.

    Note: If using the vCenter Server Appliance 5.1 (VCSA), these actions can be performed on a Windows workstation joined to the same domain as the VCSA.

  2. Open an elevated command prompt. For more information, see Opening a command or shell prompt (1003892).
  3. Type setspn -S sts/DNS_Domain_name Domain_User_account and press Enter.

    For example:

    C:\>setspn -S STS/child-domain.vmware.com SSOServiceAccount

    You see output similar to:

    Updated object

    Notes:
    • If a duplicate SPN is found, consult your Active Directory administrator for deleting the SPN.
    • You must use the SPN name STS so that the Identity Source is created.

Creating an Active Directory Identity Source for use with SSO 5.5

To create an Active Directory (Integrated Windows Authentication) Identity Source:
  1. Log in to the vSphere Web Client as administrator@vsphere.local or as another user with SSO administrator privileges. The default vSphere Web Client URL is:

    https://client-hostname:9443/vsphere-client

  2. Navigate to Administration > Single Sign-On > Configuration.
  3. In the Identity Sources tab, click the Add Identity Source icon () under the option menu.
  4. Click Active Directory (Integrated Windows Authentication).
  5. Select the Use SPN option.
  6. Enter these information:

    Domain name: DNS_Domain_name
    Service Principal Name (SPN): STS/DNS_Domain_name
    User Principal Name (UPN): Domain User assigned SPN@DNS_Domain_name.com
    Password: Password

    For example:

    Domain name: child-domain.vmware.com
    Service Principal Name (SPN): STS/child-domain.vmware.com
    User Principal Name (UPN): SSOServiceAccount@child-domain.vmware.com
    Password: WelcomeToSSO55

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 15 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 15 Ratings
Actions
KB: