Creating an SPN for use with VCSA 6

The documentation for this isn’t supper clear, in fact I had the mistaken idea that adding active directory as an identity source using the machine account could only be done from vSphere on Windows, the truth is that if you have joined the vcsa to the domain the machine account method is equally valid.

However if you can’t for some reason you cannot add the vcsa to the domain, then you can either add it using the ldap credentials or create a SPN

If you do need to create the SPN then here is how…


For VCSA these actions have to be performed on a Windows workstation joined to the domain

My domain is dca.vclass.local

I have previously created a domain admin called dcaservice

Open an elevated command prompt
Type echo %UserDNSDomain%and press Enter.

For example:

C:\>echo %UserDNSDomain%

Type setspn -Q sts/DNS_domain_name and press Enter. This verifies that no other SPNs have been created on this domain.

query sts




Note: If a SPN is found, consult your Active Directory administrator.


To create an SPN for use with Single Sign-On 5.5:

Type setspn -S sts/DNS_Domain_name Domain_User_account and press Enter.

Do not use the domain suffix on the account ie: dcaservice@dca.vclass.local

set sts




Then check

check sts




Ref: In the VMware Platform Services Controller 6.0 FAQs (2113115) there is a pointer to (2058298) which is the documentation for 5.5 as the correct process for 6.0

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.