The documentation for this isn’t supper clear, in fact I had the mistaken idea that adding active directory as an identity source using the machine account could only be done from vSphere on Windows, the truth is that if you have joined the vcsa to the domain the machine account method is equally valid.
However if you can’t for some reason you cannot add the vcsa to the domain, then you can either add it using the ldap credentials or create a SPN
If you do need to create the SPN then here is how…
For VCSA these actions have to be performed on a Windows workstation joined to the domain
My domain is dca.vclass.local
I have previously created a domain admin called dcaservice
Open an elevated command prompt
Type echo %UserDNSDomain%and press Enter.
Type setspn -Q sts/DNS_domain_name and press Enter. This verifies that no other SPNs have been created on this domain.
Note: If a SPN is found, consult your Active Directory administrator.
To create an SPN for use with Single Sign-On 5.5:
Type setspn -S sts/DNS_Domain_name Domain_User_account and press Enter.
Do not use the domain suffix on the account ie: firstname.lastname@example.org
Ref: In the VMware Platform Services Controller 6.0 FAQs (2113115) there is a pointer to (2058298) which is the documentation for 5.5 as the correct process for 6.0