Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Active directory accounts inside a windows container (server 2016 TP5)

So I have Windows Server 2016 TP5 and I'm playing around with the containers. I am able to do basic docker tasks fine. I'm trying to figure out how to containerize some of our IIS-hosted web applications.

Thing is, we usually use integrated authentication for the DB and use domain service accounts for the app pool. I currently don't have a test VM (that is in a domain) so I can't test if this will work inside a container.

If the host is joined to an AD domain, are its containers also part of the domain? Can I still run processes using domain accounts?

EDIT: Also, if I specify the "USER" in the dockerfile, does this mean that my app pool will run using that (instead of the app pool identity)?

like image 266
Mel Avatar asked Jul 30 '16 18:07

Mel


1 Answers

There are at least some scenarios where AD-integration in Docker container actually works:

  1. You need to access network resources with AD credentials.
    1. Run cmdkey /add:<network-resource-uri>[:port] /user:<ad-user> /pass:<pass> under local identity that needs this access
    2. To apply the same trick to IIS apps without modifying AppPoolIdentity you'll need a simplest .ashx wrapper around cmdkey (Note: you'll have to call this wrapper in run-time, e.g.: during ENTRYPOINT, otherwise network credentials will be mapped to different local identity)
  2. You need to run code under AD user
    1. Impersonate using ADVAPI32 function LogonUser with LOGON32_LOGON_NEW_CREDENTIALS and LOGON32_PROVIDER_DEFAULT as suggested
  3. You need transport layer network security, like when making RPC calls (e.g.: MSDTC) to an AD-based resources.
    1. Set up gMSA by using any guide that suites you best. Note however, that gMSA requires Docker host to be in the domain.
like image 160
Taras Strypko Avatar answered Nov 06 '22 13:11

Taras Strypko