All geek questions in one place

Windows authentication for an application hosted in a Windows container

I would like to use Windows authentication to access an ASP.NET application hosted in a Windows container (in Windows Server 2016 TP4). For this, I assume that I need to add a container to the Active Directory domain. Can I add a Windows Container (or Hyper-V Container) to a domain? This is not clear documentation from Microsoft, and I myself tried to add the container to the domain using PowerShell, but no luck.

If the domain connecting the container is not supported, is there an alternative way to enable Windows authentication in a web application hosted in a Windows or Hyper-V container?

Any input is appreciated.

+5
source share
2 answers

Microsoft recently provided a solution for containers accessing resources using domain credentials : group-managed accounts .

Although Windows Containers cannot be joined to a domain, they can also use Active Directory domain identifiers, similar to when the device is connected to a network. With the Windows Server 2012 R2 domain of the controllers, we introduced a new domain account called the Managed Service Account (gMSA) group, which was designed to be shared between services.

In addition, here is a guide detailing the specific steps , covering the following:

Deploying containers with an emulated domain identifier is simple and based on existing workflows using Windows Server and Active Directory.

To deploy this feature, you need:

  • Existing Active Directory domain running on Windows Server 2012 or later functional level
  • Windows Server 2016 with the Container role and Docker installed. This will be referred to as the Container Host . These hosts must be joined to a domain.

This guide will cover the following steps for deploying a container in detail:

  • Create a Managed Service Account group in Active Directory for each application / service
  • Grant each node of the container access to the Managed Service Account group
  • Add configuration files to each container that stores information about the Managed Accounts service group. They will be called Credentials.
  • Start containers with a parameter indicating which credential specification to use
+2
source

Removing Windows Containers - Work In Progress

"Containers cannot join Active Directory domains and cannot run services or applications as domain users, service accounts, or computer accounts."

+1
source

Source: https://habr.com/ru/post/1240169/

More articles:


All Articles