Active directory accounts inside a windows container (server 2016 TP5)
Solution 1
Update: this answer is no longer relevant - was for 2016 TP5. AD support has been added in later releases
Original answer Quick answer - no, containers are not supported as part of AD so you can't use AD accounts to run processes within a container or authenticate with it
This used to be mentioned on the MS Containers site but the original link now redirects.
Original wording (CTP 3 or 4?): "Containers cannot join Active Directory domains, and cannot run services or applications as domain users, service accounts, or machine accounts."
I don't know if that will change in a later release.
Someone tried to hack around it but with no joy.
Solution 2
There are at least some scenarios where AD-integration in Docker container actually works:
- You need to access network resources with AD credentials.
- Run cmdkey /add:
<network-resource-uri>[:port]
/user:<ad-user>
/pass:<pass>
under local identity that needs this access - To apply the same trick to IIS apps without modifying AppPoolIdentity you'll need a simplest .ashx wrapper around cmdkey (Note: you'll have to call this wrapper in run-time, e.g.: during ENTRYPOINT, otherwise network credentials will be mapped to different local identity)
- Run cmdkey /add:
- You need to run code under AD user
- Impersonate using ADVAPI32 function LogonUser with LOGON32_LOGON_NEW_CREDENTIALS and LOGON32_PROVIDER_DEFAULT as suggested
- You need transport layer network security, like when making RPC calls (e.g.: MSDTC) to an AD-based resources.
- Set up gMSA by using any guide that suites you best. Note however, that gMSA requires Docker host to be in the domain.
Solution 3
You can't join containers to a domain but if your app needs to authenticate then you can use managed service accounts. Saves you the hassle of having to deal with packaging passwords.
https://msdn.microsoft.com/en-us/virtualization/windowscontainers/management/manage_serviceaccounts
Related videos on Youtube
Mel
Updated on June 04, 2022Comments
-
Mel almost 2 years
So I have Windows Server 2016 TP5 and I'm playing around with the containers. I am able to do basic docker tasks fine. I'm trying to figure out how to containerize some of our IIS-hosted web applications.
Thing is, we usually use integrated authentication for the DB and use domain service accounts for the app pool. I currently don't have a test VM (that is in a domain) so I can't test if this will work inside a container.
If the host is joined to an AD domain, are its containers also part of the domain? Can I still run processes using domain accounts?
EDIT: Also, if I specify the "USER" in the dockerfile, does this mean that my app pool will run using that (instead of the app pool identity)?
-
sschoof about 7 yearsActive Directory Service Accounts for Windows Containers has this information now: "Although Windows Containers cannot be domain-joined, ..."
-
Daniel Leach over 6 yearsIf you are using a CNAME for the server, cmdkey <network-resource-uri> needs to be the actual server name and not the CNAME.