Extending windows authentication in docker containers in accessing cross container resources

 

Below is walkthrough how to enable application pool identity in IIS to access SQL server running in separate container and on separate host with Integrated Windows Authentication.

Please follow my previous blog post here to setup your environment for integrated windows authentication.

My environment is consists of following:

  • Active Directory Domain running on single domain controller called DC1 and called ad.local
  • Host called IIS and SQL with windows containers feature installed
  • The rest of setup is the same as in blog post mentioned above

All the scripts and docker related files are in github repo here

IIS setup

IIS dockerfile is called iis.dockerfile.

It’s based off microsot/iis image with addition of installation of ASP.NET and copying 2 files over which will be used to access SQL server running in container on separate host.

ENTRYPOINT is modifed to add ad.local\Domain Admins group to local Administrators. I was surprised to find out that actual container actually considers itself a rightfull member of active directory domain and you can perform similar tasks you would expect on domain joined member server inside container.

For example you can use WMI straight up from host into running container using your logged on domain credentials to host. Example below showing me using my domain account ad.local\gregoryto execute WMI against running Windows container which reports itself as domain joined member server with the name of containerhostas you can see no -credential parameter is needed to be specified.

sql.aspx file container single line code which outputs information about what account is used to authenticate against remote SQL server and what is IP address of that server.

Image is available dockerhub if you don’t want to build it yourself and called artisticcheese/crosscontaineriis

SQL setup

SQL server is based off  microsoft/mssql-server-windows-developer image with modification done to ENTRYPOINT for the image to create and add containerhost$ GMSA account to sysadmin role on server. It’s expessed in 2 lines added to ENTRYPOINT start.ps1 file

invoke-sqlcmd -Query 'create login [ad\containerhost$] from windows'

invoke-sqlcmd -Query 'ALTER SERVER ROLE sysadmin ADD MEMBER [ad\containerhost$]'
Image is available on dockerhub if you don’t want to build it yourself artisticcheese/crosscontainersql

 Setting up environment and results

Run container on IIS host

docker run -d --rm -p 80:80 -h containerhost --name iis --security-opt "credentialspec=file://win.json" artisticcheese/crosscontaineriis
Run SQL server on SQL host
docker run -d --rm -h containerhost --name sql -e sa_password=A123456! -e ACCEPT_EULA=Y --security-opt "credentialspec=file://win.json" artisticcheese/crosscontainersql
Accessing sql.aspx file on IIS host shall result in following message being displayed showing that IIS running inside container with default application pool identity successfully connected
chrome_2018-01-27_19-00-08

Storing arbitrary text file in Azure Key Vault as secrets (SSH keys, CER files etc)

Azure KeyVault provides auditable, RBAC controlled access to Azure primitive like secrets which by default usually a simple string consisting of password or connection string and similar.

It’s possible to store complete text files in secrets which is useful if you want to store SSH keys and such and still have all the benefits of Azure Key Vault.

Powershell way

To store any text file in AzureKeyVault secret Set-AzureKeyVaultSecret cmdlet shall be used and contents of the file shall be passed as SecureString to SecretValue parameter.

For example following powershell script will store file rootCA.cer file as secret in Vault

To retrieve it we can use help of PSCredentialObject to convert securestring to plaintext and save it as a file.

You can save it then to file system and have identical certificate to then one which is uploaded

[PSCredential]::new(“user”,(Get-AzureKeyVaultSecret -Name rootca -VaultName MyKeyVault).SecretValue).GetNetworkCredential().Password | out-file ‘c:\test\retrieved.cer’ -Encoding utf8

Azure CLI way

Somewhat easier way to perform entire manipulation can be done with Azure CLI

To upload secret

To download secret

PS C:\>az keyvault secret download –name rootca –vault-name mykeyvault –file C:\test\retrieved.cer