Active directory accounts inside a windows container (server 2016 TP5)

docker windows-server-2016
13,396

Solution 1

Update: this answer is no longer relevant - was for 2016 TP5. AD support has been added in later releases

Original answer Quick answer - no, containers are not supported as part of AD so you can't use AD accounts to run processes within a container or authenticate with it

This used to be mentioned on the MS Containers site but the original link now redirects.

Original wording (CTP 3 or 4?): "Containers cannot join Active Directory domains, and cannot run services or applications as domain users, service accounts, or machine accounts."

I don't know if that will change in a later release.

Someone tried to hack around it but with no joy.

Solution 2

There are at least some scenarios where AD-integration in Docker container actually works:

  1. You need to access network resources with AD credentials.
    1. Run cmdkey /add:<network-resource-uri>[:port] /user:<ad-user> /pass:<pass> under local identity that needs this access
    2. To apply the same trick to IIS apps without modifying AppPoolIdentity you'll need a simplest .ashx wrapper around cmdkey (Note: you'll have to call this wrapper in run-time, e.g.: during ENTRYPOINT, otherwise network credentials will be mapped to different local identity)
  2. You need to run code under AD user
    1. Impersonate using ADVAPI32 function LogonUser with LOGON32_LOGON_NEW_CREDENTIALS and LOGON32_PROVIDER_DEFAULT as suggested
  3. You need transport layer network security, like when making RPC calls (e.g.: MSDTC) to an AD-based resources.
    1. Set up gMSA by using any guide that suites you best. Note however, that gMSA requires Docker host to be in the domain.

Solution 3

You can't join containers to a domain but if your app needs to authenticate then you can use managed service accounts. Saves you the hassle of having to deal with packaging passwords.

https://msdn.microsoft.com/en-us/virtualization/windowscontainers/management/manage_serviceaccounts

Share:
13,396

Related videos on Youtube

Mel
Author by

Mel

Updated on June 04, 2022

Comments

  • Mel
    Mel almost 2 years

    So I have Windows Server 2016 TP5 and I'm playing around with the containers. I am able to do basic docker tasks fine. I'm trying to figure out how to containerize some of our IIS-hosted web applications.

    Thing is, we usually use integrated authentication for the DB and use domain service accounts for the app pool. I currently don't have a test VM (that is in a domain) so I can't test if this will work inside a container.

    If the host is joined to an AD domain, are its containers also part of the domain? Can I still run processes using domain accounts?

    EDIT: Also, if I specify the "USER" in the dockerfile, does this mean that my app pool will run using that (instead of the app pool identity)?

  • sschoof
    sschoof about 7 years
    Active Directory Service Accounts for Windows Containers has this information now: "Although Windows Containers cannot be domain-joined, ..."
  • Daniel Leach
    Daniel Leach over 6 years
    If you are using a CNAME for the server, cmdkey <network-resource-uri> needs to be the actual server name and not the CNAME.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Docker / Windows Container: how to mount a host folder as data volume on Windows 2016
How to run linux VM hosted by hyper-v which runs docker
Docker Windows Server 2016 switch to linux container
Cannot load c:/php/php5apache2_4.dll into server: The specified module could not be found
How can I run Docker in a AWS Windows Server environment?
Access Windows 2016 Server Container (Docker container) via GUI?
WARNING: Unable to find module repositories
Failed to start the virtual machine 'MobyLinuxVM' because one of the Hyper-V components is not running
How do I access Windows eventlog of a Docker container
Cannot install docker-desktop on ubuntu 22.04