diff --git a/docs/pages/includes/config-reference/desktop-config.yaml b/docs/pages/includes/config-reference/desktop-config.yaml
index 04ac43e928311..4d00e03fd17df 100644
--- a/docs/pages/includes/config-reference/desktop-config.yaml
+++ b/docs/pages/includes/config-reference/desktop-config.yaml
@@ -21,9 +21,27 @@ windows_desktop_service:
     # For best results, this address should point to a highly-available
     # endpoint (a load balancer, VIP, or round-robin DNS) rather than
     # a single domain controller.
-    addr:     '$LDAP_SERVER_ADDRESS'
+    addr: '$LDAP_SERVER_ADDRESS'
+    # Optional: the server name to use when validating the LDAP server's
+    # certificate. Useful in cases where addr is an IP but the server
+    # presents a cert with some other hostname.
+    server_name: '$LDAP_SERVER_NAME'
+    # You can skip LDAPS certificate verification by setting
+    # this to true. It is recommended that this be set to false
+    # and the certificate added your system's trusted repository,
+    # or provided as a PEM encoded certificate using ldap_ca_cert variable.
+    # You can provide a filepath with der_ca_file, but this behavior is deprecated.
+    insecure_skip_verify: false
+    # PEM encoded LDAP CA certificate.
+    ldap_ca_cert: |
+      -----BEGIN CERTIFICATE-----
+          *certificate data*
+      -----END CERTIFICATE-----
+    # DER encoded LDAP CA certificate.
+    # deprecated: prefer ldap_ca_cert instead
+    der_ca_file: /path/to/cert
     # Active Directory domain name you are connecting to.
-    domain:   '$LDAP_DOMAIN_NAME'
+    domain: '$LDAP_DOMAIN_NAME'
     # LDAP username for authentication. This username must include the domain
     # NetBIOS name. The use of single quotes here is intentional in order to
     # avoid the need to escape the backslash (\) character.
@@ -45,20 +63,7 @@ windows_desktop_service:
     # filter = (&(objectCategory=person)(objectClass=user)(sAMAccountName=$LDAP_USERNAME))
     # and requesting the attribute = objectSid
     sid: '$LDAP_USER_SID'
-    # You can skip LDAPS certificate verification by setting
-    # this to true. It is recommended that this be set to false
-    # and the certificate added your system's trusted repository,
-    # or provided as a PEM encoded certificate using ldap_ca_cert variable.
-    # You can provide a filepath with der_ca_file, but this behavior is deprecated.
-    insecure_skip_verify: false
-    # PEM encoded LDAP CA certificate.
-    ldap_ca_cert: |
-      -----BEGIN CERTIFICATE-----
-          *certificate data*
-      -----END CERTIFICATE-----
-    # DER encoded LDAP CA certificate.
-    # deprecated: prefer ldap_ca_cert instead
-    der_ca_file: /path/to/cert
+
 
   # (optional) hosts is a list of hostnames to register as WindowsDesktop
   # objects in Teleport. These hosts must be part of the Active Directory