I would like to use Windows authentication to access an ASP.NET application, hosted in a Windows Container (in Windows Server 2016 TP4). For this, I presume I need to add the container to the Active Directory domain. Is it all possible to add a Windows Container (or Hyper-V Container) to a domain? There is no clear documentation from Microsoft on this, and I myself tried adding the container to the domain using PowerShell, but with no luck.
If domain joining a Container is not supported, is there any alternative way to enable Windows Authentication in a web application hosted in a Windows or Hyper-V Container?
Any input will be highly appreciated.
The Windows operating system implements a default set of authentication protocols, including Kerberos, NTLM, Transport Layer Security/Secure Sockets Layer (TLS/SSL), and Digest, as part of an extensible architecture.
Kerberos, a network authentication protocol included in the Microsoft Windows operating systems, can now be used in conjunction with Security Support Provider Interface (SSPI) to provide pass-through authentication with secret key cryptography and data integrity.
You can run both Linux and Windows programs and executables in Docker containers. The Docker platform runs natively on Linux (on x86-64, ARM and many other CPU architectures) and on Windows (x86-64). Docker Inc. builds products that let you build and run containers on Linux, Windows and macOS.
Microsoft recently provided a solution for containers accessing resources using domain credentials: group managed service accounts.
Although Windows Containers cannot be domain-joined, they can also take advantage of Active Directory domain identities similar to when a device is realm-joined. With Windows Server 2012 R2 domain controllers, we introduced a new domain account called a group Managed Service Account (gMSA) which was designed to be shared by services.
Additionally, here's a guide that walks through the specific steps in detail, covering the following:
Deploying containers with an emulated domain identity is simple, and based around existing workflows using Windows Server and Active Directory.
Deploying this feature requires:
- An existing Active Directory domain, running at Windows Server 2012 or later functional level
- Windows Server 2016 with the Container role and Docker installed. This will be referred to as a Container host. These hosts need to be joined to the domain.
This guide will cover the following steps to deploy a container in detail:
- Create a group Managed Service Account in the Active Directory for each application/service
- Give each container host access to use the group Managed Service Account
- Add configuration files on each container host that store details about the group Managed Service Accounts. These will be referred to as Credential Specs
- Start containers with a parameter telling which credential spec to use
Extract of the Windows Containers - Work in progress
"Containers cannot join Active Directory domains, and cannot run services or applications as domain users, service accounts, or machine accounts."
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With