Active directory accounts inside a windows container (server 2016 TP5)

Question

So I have Windows Server 2016 TP5 and I'm playing around with the containers. I am able to do basic docker tasks fine. I'm trying to figure out how to containerize some of our IIS-hosted web applications.

Thing is, we usually use integrated authentication for the DB and use domain service accounts for the app pool. I currently don't have a test VM (that is in a domain) so I can't test if this will work inside a container.

If the host is joined to an AD domain, are its containers also part of the domain? Can I still run processes using domain accounts?

EDIT: Also, if I specify the "USER" in the dockerfile, does this mean that my app pool will run using that (instead of the app pool identity)?

Answer 1

There are at least some scenarios where AD-integration in Docker container actually works:

1. You need to access network resources with AD credentials.
   1. Run cmdkey /add:<network-resource-uri>[:port] /user:<ad-user> /pass:<pass> under local identity that needs this access
   2. To apply the same trick to IIS apps without modifying AppPoolIdentity you'll need a simplest .ashx wrapper around cmdkey (Note: you'll have to call this wrapper in run-time, e.g.: during ENTRYPOINT, otherwise network credentials will be mapped to different local identity)
2. You need to run code under AD user
   1. Impersonate using ADVAPI32 function LogonUser with LOGON32_LOGON_NEW_CREDENTIALS and LOGON32_PROVIDER_DEFAULT as suggested
3. You need transport layer network security, like when making RPC calls (e.g.: MSDTC) to an AD-based resources.
   1. Set up gMSA by using any guide that suites you best. Note however, that gMSA requires Docker host to be in the domain.