Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Windows authentication of an application hosted in Windows Container

Tags:

docker

windows

asp.net

windows-authentication

windows-server-2016

I would like to use Windows authentication to access an ASP.NET application, hosted in a Windows Container (in Windows Server 2016 TP4). For this, I presume I need to add the container to the Active Directory domain. Is it all possible to add a Windows Container (or Hyper-V Container) to a domain? There is no clear documentation from Microsoft on this, and I myself tried adding the container to the domain using PowerShell, but with no luck.

If domain joining a Container is not supported, is there any alternative way to enable Windows Authentication in a web application hosted in a Windows or Hyper-V Container?

Any input will be highly appreciated.

like image 459
Tanmoy Sengupta Avatar asked Jan 08 '16 12:01

Tanmoy Sengupta

People also ask

What authentication method does Windows use?

The Windows operating system implements a default set of authentication protocols, including Kerberos, NTLM, Transport Layer Security/Secure Sockets Layer (TLS/SSL), and Digest, as part of an extensible architecture.

Which authentication protocol is used in a Windows domain environment?

Kerberos, a network authentication protocol included in the Microsoft Windows operating systems, can now be used in conjunction with Security Support Provider Interface (SSPI) to provide pass-through authentication with secret key cryptography and data integrity.

Can you run Windows app in Docker container?

You can run both Linux and Windows programs and executables in Docker containers. The Docker platform runs natively on Linux (on x86-64, ARM and many other CPU architectures) and on Windows (x86-64). Docker Inc. builds products that let you build and run containers on Linux, Windows and macOS.

2 Answers

Microsoft recently provided a solution for containers accessing resources using domain credentials: group managed service accounts.

Although Windows Containers cannot be domain-joined, they can also take advantage of Active Directory domain identities similar to when a device is realm-joined. With Windows Server 2012 R2 domain controllers, we introduced a new domain account called a group Managed Service Account (gMSA) which was designed to be shared by services.

Additionally, here's a guide that walks through the specific steps in detail, covering the following:

Deploying containers with an emulated domain identity is simple, and based around existing workflows using Windows Server and Active Directory.

Deploying this feature requires:

  • An existing Active Directory domain, running at Windows Server 2012 or later functional level
  • Windows Server 2016 with the Container role and Docker installed. This will be referred to as a Container host. These hosts need to be joined to the domain.

This guide will cover the following steps to deploy a container in detail:

  1. Create a group Managed Service Account in the Active Directory for each application/service
  2. Give each container host access to use the group Managed Service Account
  3. Add configuration files on each container host that store details about the group Managed Service Accounts. These will be referred to as Credential Specs
  4. Start containers with a parameter telling which credential spec to use
like image 113
Michael Fredrickson Avatar answered Sep 21 '22 13:09

Michael Fredrickson

Extract of the Windows Containers - Work in progress

"Containers cannot join Active Directory domains, and cannot run services or applications as domain users, service accounts, or machine accounts."

like image 25
nilleb Avatar answered Sep 17 '22 13:09

nilleb
Sign in to Comment

Related questions

Google OpenId: No OpenID endpoint found (intermittent)
How to understand a security warning in google chrome for a static resource served by Asp.net
415 Unsupported Media Type Calling WCF Service from $.ajax
An attempt was made to set a report parameter 'Name' that is not defined in this report?
How can I authenticate to an ASP.NET WebAPI that is using Forms Authentication From a C# Console Application?
Set cookie from SignalR hub on the server
ASP No such interface supported error when creating object
ASP.NET Requests and .NET 4.5 - Strange Behavior
Ambiguous Reference Error
image in updatepanel causes whole page refresh
Sitemap doesn't show as xml
subdomain CORS in webApi 2
ASP.NET Identity + Windows Authentication for Intranet Site
What is the correct way to trigger OWIN cookie middleware set to passive authentication mode?
Oauth authentication with owin & Nancy
Method 'ExecuteAsync' in type 'System.Data.Entity.SqlServer.DefaultSqlExecutionStrategy' does not have an implementation
What is the current status of the Helios project? [closed]
Get ClientId of control in Repeater
How to use NHaml in Asp.net MVC 6 (template not found error)
Why won't HttpPlatformHandler create log files?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!