PowerCLI - Fails to logon to vCenter VCSA using integrated authentication

I recently made a PowerCLI script to pull reports from 4 vCenters we got in our infra. Script was tested against once vCenter and was working great. So deployed it in out script host to be able to schedule and also configured to run it against all 4 vCenters. Then noticed it's getting stuck when it's at lab vCenter and pops up asking for credentials, which I was not expecting as it was suppose to run it using integrated authentication. Works fine against 3 remaining vCenters when I tried.

I was able to reproduce this issue by 

1) Opened PowerCli as service account that we are using to pull report.

2) tried to connect to Prod vCenter "Connect-viserver ProdvCenter" and it logged in immediately. 

3) "Connect-viserver LabvCenter" brought up credential popups again

 

4) To troubleshoot, I issued connect command again with verberos switch (-v) and cancelled the credential window. Below is the output from it.  

PS C:\Users\vCAdmin> Connect-VIServer -v VMwareLab

VERBOSE: Attempting to connect using SSPI

VERBOSE: Reversely resolved 'vmwarelab' to 'vmwaretest'

VERBOSE: SSPI Kerberos: Acquired credentials for user 'OurDomain\vCAdmin'

VERBOSE: SSPI Kerberos: InitializeSecurityContext failed for target 'host/VMwareLab'. Error code: 0x80090303

VERBOSE: Connect using SSPI was unsuccessful

Connect-VIServer : 2/08/2021 4:30:04 PM Connect-VIServer                Could not determine user name and/or password for server VMwareLab

At line:1 char:1

+ Connect-VIServer -v VMwareLab

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [Connect-VIServer], ViServerConnectionException

    + FullyQualifiedErrorId : ViCore_Login_CredentialNotFound,VMware.VimAutomation.ViCore.Cmdlets.Commands.ConnectVIServer

After comparting the configs, I found the issue and line highlighted in red above is the key. 

1) ProdVC DNS entry is "ProdVCenter.OurDomain.com" and it's joined to AD with same hostname.

2) LabvCenter DNS entry is "vmwarelab.OurDomain.com" and this is what I am trying to connect. But VC is joined to AD with another name vmwaretest.OurDomain.com

Note -: you may need to login as administrator@vsphere.local to be able to view AD Domain section.

So I could just use vmwaretest.OurDomain.com in my script.

If at all you want to use the other name, you can still do that by creating a SPN to connect the host name with AD object. 

In my case I used below command to do this

setspn -A "HOST/vmwaretest.OurDomain.com" vmwarelab

which is 

setspn -A "HOST/<FQDN of vCenter as per Active Directory Domain config of VC>" <alternate name you want to use>

After this , just restart your vCenter which would also allow some time for AD replication,

Thanks!