ThevCenter Single Sign-On token policy specifies the clock tolerance, renewal count, and other token properties. You can edit the vCenter Single Sign-On token policy to ensure that the token specification conforms to your corporation's security standards.

1

Log in to the vSphere Web Client.

2

Select Administration > Single Sign-On, and select Configuration.

3

Click the Policies tab and select Token Policy.

The vSphere Web Client displays the current configuration settings. If you have not modified the default settings, vCenter Single Sign-On uses them.

4

Edit the token policy configuration parameters.

Option

Description

Clock tolerance

Time difference, in milliseconds, that vCenter Single Sign-On tolerates between a client clock and the domain controller clock. If the time difference is greater than the specified value, vCenter Single Sign-On declares the token invalid.

Maximum token renewal count

Maximum number of times that a token can be renewed. After the maximum number of renewal attempts, a new security token is required.

Maximum token delegation count

Holder-of-key tokens can be delegated to services in the vSphere environment. A service that uses a delegated token performs the service on behalf of the principal that provided the token. A token request specifies a DelegateTo identity. The DelegateTo value can either be a solution token or a reference to a solution token. This value specifies how many times a single holder-of-key token can be delegated.

Maximum bearer token lifetime

Bearer tokens provide authentication based only on possession of the token. Bearer tokens are intended for short-term, single-operation use. A bearer token does not verify the identity of the user or entity that is sending the request. This value specifies the lifetime value of a bearer token before the token has to be reissued.

Maximum holder-of-key token lifetime

Holder-of-key tokens provide authentication based on security artifacts that are embedded in the token. Holder-of-key tokens can be used for delegation. A client can obtain a holder-of-key token and delegate that token to another entity. The token contains the claims to identify the originator and the delegate. In the vSphere environment, a vCenter Server system obtains delegated tokens on a user's behalf and uses those tokens to perform operations.

This value determines the lifetime of a holder-of-key token before the token is marked invalid.

5

Click OK.