Walk through below will enable integrated Windows Authentication for windows docker container in Active Directory environment.
Overview of steps are below
- Create Global Security group
Container Hosts
in Active Directory - Add container host servers to group which is allowed to decrypt password GMSA account
- Reboot container host so computer account have proper group membership
- Create GMSA account in Active Directory
- Install GMSA account on container host
- Add SPN record to GMSA account
- Generate
credentialspecs
file to be passed to docker daemon during container startup - Launch docker container with proper parameters
Detailed implementation steps are below
Create Global Security group Container Hosts
in Active Directory
Add computer account for container host to Container Hosts
group
Reboot container host computer
This step is required so computer account will have proper AD group associated with it
Create GMSA account in Active Directory
On domain controller execute
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Import-module ActiveDirectory | |
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10)); | |
New-ADServiceAccount -Name containerhost -DNSHostName servicefabric.ad.local -PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers", | |
"domain admins", "CN=Container Hosts,CN=Builtin, DC=ad, DC=local" -KerberosEncryptionType RC4, AES128, AES256 |
Install GMSA account on container host and test it
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Enable-WindowsOptionalFeature -FeatureName ActiveDirectory-Powershell -online -all | |
Get-ADServiceAccount -Identity containerhost | |
Install-ADServiceAccount -Identity containerhost | |
Test-AdServiceAccount -Identity containerhost |
Output shall not contain any errors and will look like below
Path : Online : True RestartNeeded : False DistinguishedName : CN=containerhost,CN=Managed Service Accounts,DC=ad,DC=local Enabled : True Name : containerhost ObjectClass : msDS-GroupManagedServiceAccount ObjectGUID : 12941984-5fd3-4095-96f9-cbd96902eb36 SamAccountName : containerhost$ SID : S-1-5-21-3914853822-719528391-929614657-1606 UserPrincipalName : True
Add SPN record to GMSA account
This step is required if for kerberos authentication to work and for automatic login in Chrome/IE. Without it authentication will still work but will always prompt for username/password since it will fallback to NTLM.
Launch adsiedit.msc
on domain controller and add SPN of HTTP/containerhost1.ad.local
to GMSA account
Generate credentialspecs
file to be passed to docker daemon during container startup
Execute powershell below to generate your GMSA configuration file which will be used by docker to enable Windows Authentication
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Invoke-WebRequest "https://raw.githubusercontent.com/Microsoft/Virtualization-Documentation/live/windows-server-container-tools/ServiceAccounts/CredentialSpec.psm1" -UseBasicParsing -OutFile $env:TEMP\cred.psm1 | |
import-module $env:temp\cred.psm1 | |
New-CredentialSpec -Name win -AccountName containerhost | |
#This will return location and name of JSON file | |
Get-CredentialSpec | |
Name Path | |
—- —- | |
win C:\ProgramData\docker\CredentialSpecs\win.json |
Launch docker container with proper parameters
Launching docker with parameters specifying GMSA account name as well as credential specs file
docker run -d -p 8080:80 -h containerhost --security-opt "credentialspec=file://win.json" artisticcheese/winauth:servercore
You can use my image artisticcheese/winauth:servercore
to test if this solution works. Image has just plain vanilla IIS with windows authentication enabled and default page showing which account are you logged on with. This image is based of 1709
version of Windows Server Core and hence make sure your host is above 1709
.
Now if you access your container host on port 8080
on any domain joined machine you shall be automatically authenticated. If you try to access your containerhost via IP address then you will be prompted for username/password since IE/chrome will assume you are accessing external computer and hence will not automatically log you on.
Anyone else having issues with the container?
Unable to find image ‘artisticcheese/winauth:servercore’ locally
servercore: Pulling from artisticcheese/winauth
5847a47b8593: Pull complete
9f887ccb8077: Pull complete
591a367f029c: Extracting [==================================================>] 110.9MB/110.9MB
c85ff4be242c: Download complete
d72d8f97514e: Download complete
914cf14bfc2d: Download complete
e6d2ee6a41e9: Download complete
e25d36a8cd0a: Download complete
43efd683c20c: Download complete
e98c7349ed13: Download complete
c1358b98c0d9: Download complete
5f4ae55a74d1: Download complete
caca26593783: Download complete
3240aea325f7: Download complete
C:\Program Files\Docker\docker.exe: failed to register layer: re-exec error: exit status 1: output: time=”2018-04-11T10:
23:08-04:00″ level=error msg=”hcsshim::ImportLayer failed in Win32: The system cannot find the file specified. (0x2) lay
erId=\\\\?\\C:\\ProgramData\\docker\\windowsfilter\\af0cae803fda00802b0160ed65f57cbb06a42326ffab05c4494625172965847b fla
vour=1 folder=C:\\ProgramData\\docker\\tmp\\hcs501744831″
hcsshim::ImportLayer failed in Win32: The system cannot find the file specified. (0x2) layerId=\\?\C:\ProgramData\docker
\windowsfilter\af0cae803fda00802b0160ed65f57cbb06a42326ffab05c4494625172965847b flavour=1 folder=C:\ProgramData\docker\t
mp\hcs501744831.
See ‘C:\Program Files\Docker\docker.exe run –help’.
PS C:\>
thank you
LikeLike
Can you just download something like `microsoft/iis`?
LikeLike
I am also facing same issue.
LikeLike
Which issue?
LikeLike
I want test windows authentication for container. i tried to pull images artisticcheese/winauth:servercore but i am getting error’s
LikeLike
Can you pull microsoft/iis image direclty?
LikeLike
Has anyone been able to get this to work on Windows 10. This all works perfectly on Server 2016 Nodes, but Windows 10 times out when trying to run with the –security-opt and the credential spec file. MS says this isnt supported, and if thats the case…Im wondering what MS feels should be the workflow for local container development if you cant do something as simple as authenticating to an SQL data via a container running on your Windows 10 machine.
LikeLike
It works in Windows 10 too, just some versions are bugged out. You’d have to wait for Microsoft to fix the issue. New version is around the corner and I would assume the fix will be there.
LikeLike
Hmm…Yeah I have tried 1607 and 1709 and no dice. Users have also reported this issue on 1803…time out when running the container. I talked with MS Premiere support and my support rep and I was told: “Microsoft does not engage on any Docker issues where the configuration is not WS2016 with Docker Enterprise Edition installed. That means no Design Change Request will be accepted. The bottom line is that this is NOT supported by Microsoft–customer needs to engage Docker support at their website:
https://www.docker.com/get-docker (Docker Website with Product information), click on the link that says learn more about EE and it should direct you to the right option.”
LikeLike
Well, not sure what can be done really here except raising a big stink in docker forums may be.
LikeLike
I already have microsoft/iis image and on top of that i also have rest api configured in iis container but i was not able to make windows authentication work. I wanted to troubleshoot what is wrong ? also i might need to find out is anything wrong with my rest api install and configuration in iis , so thats why i wanted to test your image so that i can get reply with credential that i am passing are successfully receive by container. I am also looking into Get-eventlog logname -security but not getting any updates or latest updates. How can i troubleshoot is windows auth for containers is properly configured or not ?
LikeLike
What version of Windows 10 do you have as well as what docker version do you have? `docker info` will provide that information.
LikeLike
@artisticcheese How can test if logon is successful or not ? My website is not returning anything ? how can i troubleshoot this ?
LikeLike
You have to login into running container and look at event logs etc.
LikeLike
I have 3 computers.
The first: Domain Computer(Windows Server 2012)
The second: My computer(Windows 10) – installed docker
The last: Docker container.
How can I use active directory on docker container?
LikeLike
That’s what article above explains.
LikeLike
In your example if you wanted to access the container behind DNS (e.g. containerhost1.arcticcheese.com) would you add another SPN with that full path?
LikeLike
Yes, but I did not test this scenario.
LikeLike
I have everything set up, I have Windows auth enabled on an application our company is trying to containerize and I keep getting interesting errors. One recurring one is “The trust relationship between this workstation and the primary domain failed” After tweaking some auth settings to use NTLM, I get the prompt to come up but I get a 401 error, user not authorized. The only step I did not take in this walk through is the SPN, as I want to see the pop up, btu we just cant get this simple auth app to work
LikeLike
I tried to download your image just to test that my GMSA was working and I tried on multiple servers and I get this:
failed to register layer: re-exec error: exit status 1: output: time=”2018-07-24T11:23:53-04:00″ level=error msg=”hcsshim::ImportLayer failed in Win32: The system cannot find the file specified. (0x2) layerId=\\\\?\\C:\\ProgramData\\docker\\windowsfilter\\6cfead0c18581cf58a3ad696425762bca02bed59ed8cb2195124ace8b65221c1 flavour=1 folder=C:\\Windows\\TEMP\\hcs492445243″
hcsshim::ImportLayer failed in Win32: The system cannot find the file specified. (0x2) layerId=\\?\C:\ProgramData\docker\windowsfilter\6cfead0c18581cf58a3ad696425762bca02bed59ed8cb2195124ace8b65221c1 flavour=1 folder=C:\Windows\TEMP\hcs492445243
LikeLike
What version of OS are you running this on? It might be due to version mismatch of base image. Image is based of 1709 version of base image so make sure you container host OS is 1709 or greater.
LikeLike
Well I ended up also doing my own base image with Windows Auth enabled, and I get the prompt for auth but it never authenticates, just keeps saying unauthorized
LikeLike
I also performed all these tests listed here and they all passed https://gist.github.com/PatrickLang/27c743782fca17b19bf94490cbb6f960
Still doing more testing
LikeLike
So what I am getting is 401 access denied when using my domain account….have no idea at this point, everything looks correct.
LikeLike
Its quite useful article. All steps are successful except “If you try to access your containerhost via IP address then you will be prompted for username/password since IE/chrome will assume you are accessing external computer and hence will not automatically log you on”
Even when I’m using containerhost1 (Added to host file and AD) not IP, still prompted for username/password . Anything wrong here?
LikeLike
Automatic authentication in IE/Chrome is driven how your OS is setup to automatically provide username/password for “trusted” sites and what “trusted” site is limited to. This can be governed by IE settings which is pushed by group policy or your image. You’d have to play around with IE settings specifically for this sort of scenario. It’s impossible to tell what makes your setup is different then the one I tested it in.
LikeLike
Thank you for this blog. I keep running into
Server Error in ‘/’ Application.
The target principal name is incorrect. Cannot generate SSPI context.
Able to reproduce that even with powershell:
docker exec -it –user “NT AUTHORITY\NETWORK SERVICE” ac-test1 powershell
Invoke-Sqlcmd -ServerInstance hostmachine.sec.local -Query ‘select 123’
I have created the containerhost.sec.local gMSA account as outlined here with the only modification on the service principal names, added these:
MSSQLsvc/containerhost.sec.local
MSSQLsvc/containerhost.sec.local:1433
MSSQLsvc/containerhost
MSSQLsvc/containerhost:1433
along with host and http in the service principal. What could I be missing?
LikeLike