Extending windows authentication in docker containers in accessing cross container resources

 

Below is walkthrough how to enable application pool identity in IIS to access SQL server running in separate container and on separate host with Integrated Windows Authentication.

Please follow my previous blog post here to setup your environment for integrated windows authentication.

My environment is consists of following:

  • Active Directory Domain running on single domain controller called DC1 and called ad.local
  • Host called IIS and SQL with windows containers feature installed
  • The rest of setup is the same as in blog post mentioned above

All the scripts and docker related files are in github repo here

IIS setup

IIS dockerfile is called iis.dockerfile.

It’s based off microsot/iis image with addition of installation of ASP.NET and copying 2 files over which will be used to access SQL server running in container on separate host.

ENTRYPOINT is modifed to add ad.local\Domain Admins group to local Administrators. I was surprised to find out that actual container actually considers itself a rightfull member of active directory domain and you can perform similar tasks you would expect on domain joined member server inside container.

For example you can use WMI straight up from host into running container using your logged on domain credentials to host. Example below showing me using my domain account ad.local\gregoryto execute WMI against running Windows container which reports itself as domain joined member server with the name of containerhostas you can see no -credential parameter is needed to be specified.

PS C:\Windows\system32> get-wmiobject -ComputerName 172.19.173.92 -Class win32_computersystem
Domain : ad.local
Manufacturer : Microsoft Corporation
Model : Virtual Machine
Name : CONTAINERHOST
PrimaryOwnerName :
TotalPhysicalMemory : 4105752576

view raw
WMI
hosted with ❤ by GitHub

sql.aspx file container single line code which outputs information about what account is used to authenticate against remote SQL server and what is IP address of that server.

Image is available dockerhub if you don’t want to build it yourself and called artisticcheese/crosscontaineriis

SQL setup

SQL server is based off  microsoft/mssql-server-windows-developer image with modification done to ENTRYPOINT for the image to create and add containerhost$ GMSA account to sysadmin role on server. It’s expessed in 2 lines added to ENTRYPOINT start.ps1 file

invoke-sqlcmd -Query 'create login [ad\containerhost$] from windows'

invoke-sqlcmd -Query 'ALTER SERVER ROLE sysadmin ADD MEMBER [ad\containerhost$]'
Image is available on dockerhub if you don’t want to build it yourself artisticcheese/crosscontainersql

 Setting up environment and results

Run container on IIS host

docker run -d --rm -p 80:80 -h containerhost --name iis --security-opt "credentialspec=file://win.json" artisticcheese/crosscontaineriis
Run SQL server on SQL host
docker run -d --rm -h containerhost --name sql -e sa_password=A123456! -e ACCEPT_EULA=Y --security-opt "credentialspec=file://win.json" artisticcheese/crosscontainersql
Accessing sql.aspx file on IIS host shall result in following message being displayed showing that IIS running inside container with default application pool identity successfully connected
chrome_2018-01-27_19-00-08

Storing arbitrary text file in Azure Key Vault as secrets (SSH keys, CER files etc)

Azure KeyVault provides auditable, RBAC controlled access to Azure primitive like secrets which by default usually a simple string consisting of password or connection string and similar.

It’s possible to store complete text files in secrets which is useful if you want to store SSH keys and such and still have all the benefits of Azure Key Vault.

Powershell way

To store any text file in AzureKeyVault secret Set-AzureKeyVaultSecret cmdlet shall be used and contents of the file shall be passed as SecureString to SecretValue parameter.

For example following powershell script will store file rootCA.cer file as secret in Vault

PS C:\> Set-AzureKeyVaultSecret -VaultName MyKeyVault -SecretName rootca -SecretValue (ConvertTo-SecureString (Get-Content C:\test\rootCA.cer -Raw) -force -AsPlainText )
Vault Name : mykeyvault
Name : rootca
Version : df87dbdf504045c298b3897ba55d3dbc
Id : https://mykeyvault.vault.azure.net:443/secrets/rootca/df87dbdf504045c298b3897ba55d3dbc
Enabled : True
Expires :
Not Before :
Created : 1/4/2018 3:19:38 PM
Updated : 1/4/2018 3:19:38 PM
Content Type :
Tags :

view raw
gistfile1.txt
hosted with ❤ by GitHub

To retrieve it we can use help of PSCredentialObject to convert securestring to plaintext and save it as a file.

PS C:\> [PSCredential]::new("user",(Get-AzureKeyVaultSecret -Name rootca -VaultName MyKeyVault).SecretValue).GetNetworkCredential().Password
—–BEGIN CERTIFICATE—–
MIIFADCCAuigAwIBAgIQS0Dm+q1kmqxBMcvB49AJlTANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQD
DA9Eb2NrZXIgVExTIFJvb3QwHhcNMTgwMTA0MDExMjE3WhcNMzgwMTA0MDEyMjE2WjAaMRgwFgYD
VQQDDA9Eb2NrZXIgVExTIFJvb3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDqxthQ
ZPxJY821/07C2W9d4Mg1mRf2lQmLhIbApGKsHa07rS4BusZ5qKrcP4I0xMY7wNFFyJIYC8oesKTC
WZf9OhttIxCWA04RXkz0ISKMSAspUR1YBFsvAdHFVvt348y3aa1hmO6OXyqYlR3yms5A8hF8QpOQ
+/hSaQ4MlfRwU8W6PNfV6SEzv7fGu0ZmZc+Wi7pHLrzIeLvGwkoEXJIQupe22h5GqkirZ501RvBB
4SQkG5SHaKMTf5FpYr52C5B9bw7fh0KFXCDER6BD3sZCdv2Fz90yp37fwBBz60DhTrAcXetu6JSn
FaB6GqtIg1G4ytQJnzcaOgq2YHeRaIuqzy5HuioQ9Dz32j4vUwNFD0rgF2/NaZAeVVK30XggB1+7
+V2KpUPi2z9LZ/b5MktmdYdWLw+ShGSs4mUwESvWWPWo2ljAKm+01LmnwKEquVI/oXGLMiTFW6QP
RLqKtTMHsJsEZsFueLGxoDaBKXTGvIYtjSQa9u3Wt1o2Ebaq+aNRDAHpoxU/4EEC4SotMyr2CFMW
TxGDf589JBs8K02dJhfvFiBIiuAwpSS7+C3qGfnQKBXMGdyrZTrJfSwaSLKPy8VmWvChZF5l3oLF
DR+I1G5fahDIFP1jcJJKIfX7sUvaouCLAZioR9t/q+BqzLmdxsslWIe4+vnQeSX55NA8EQIDAQAB
o0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU9AGt3fSrJxjZ
o44YJklXcyMv5pYwDQYJKoZIhvcNAQELBQADggIBAKFJzSBtwpBaRzXfuT0OLBz5tX9VHppuc8H7
Pmiv1NELAFa5Nwi0G/eQptB3etJzu8+gnH7SZoPaZjnqbLYgk4T1o1xrSKEwGJMqjD7PLsJqo8O1
6fx6A8opH0hmh0qlvH3nSegjq/bmP8gKQTPHoCyAsbRGekUj7KdXqVsGYIClRVJEU49UK78a4aiI
N/x0KMMY+dL8aZA3dKpqSqpkS/DWlNewiKe37/og2+pqYDZnCcd3N7IWThY+iFnuFQbOvsK+ipje
dyzXt9dL3NSx/ZHT1L54ttL7LYfLKyk5yV63p+DONiVqppSnEZRMqXfJbWMFPjL73vEQpXFiq9CH
tKTfmD+6YxjWuZ4BklF2Dry/2F7jXCd9HXp1wrm/sPg1Lr4SfU39kN1vZkVwWJGFOYXCInd7tpPn
Tjw6X2SK7VDaSH4WJAuSKtPzFSxoK1LWdLedv2OWkf/h3vJCQ3r3yBvHCoX4ghm6n8uYeXeDLjhI
p8KutuHENIr5ih+oq01mx9VEOaTVDDpiowB87LICFzyfuHVSB/nOZ+QoxCxXE7fZB+YpqP8aCyLb
N7MCeVnOnAGzNlDiom1qgJxZIR/WUyXfQNEh4rLjI9w72rxw0aQG27+pM/4EYV3uem8J+i3OVTCL
5BdmEo40rzK4JAYNsMUdgVlfDYbuGJOkfAJeDmq7
—–END CERTIFICATE—–

view raw
gistfile1.txt
hosted with ❤ by GitHub

You can save it then to file system and have identical certificate to then one which is uploaded

[PSCredential]::new(“user”,(Get-AzureKeyVaultSecret -Name rootca -VaultName MyKeyVault).SecretValue).GetNetworkCredential().Password | out-file ‘c:\test\retrieved.cer’ -Encoding utf8

Azure CLI way

Somewhat easier way to perform entire manipulation can be done with Azure CLI

To upload secret

PS C:\> az keyvault secret set –name rootca –vault-name mykeyvault –file C:\test\rootCA.cer
{
"attributes": {
"created": "2018-01-04T15:43:18+00:00",
"enabled": true,
"expires": null,
"notBefore": null,
"recoveryLevel": "Purgeable",
"updated": "2018-01-04T15:43:18+00:00"
},
"contentType": null,
"id": "https://mykeyvault.vault.azure.net/secrets/rootca/68b70f7caa074f54b10d7dba2ff52e9e",
"kid": null,
"managed": null,
"tags": {
"file-encoding": "utf-8"
},
"value": "—–BEGIN CERTIFICATE—–\nMIIFADCCAuigAwIBAgIQS0Dm+q1kmqxBMcvB49AJlTANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQD\nDA9Eb2NrZXIgVExTIFJvb3QwHhcNMTgwMTA0MDExMjE3WhcNMzgwMTA0MDEyMjE2WjAaMRgwFgYD\nVQQDDA9Eb2NrZXIgVExTIFJvb3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDqxthQ\nZPxJY821/07C2W9d4Mg1mRf2lQmLhIbApGKsHa07rS4BusZ5qKrcP4I0xMY7wNFFyJIYC8oesKTC\nWZf9OhttIxCWA04RXkz0ISKMSAspUR1YBFsvAdHFVvt348y3aR1hmO6OXyqYlR3yms5A8hF8QpOQ\n+/hSaQ4MlfRwU8W6PNfV6SEzv7fGu0ZmZc+Wi7pHLrzIeLvGwkoEXJIQupe22h5GqkirZ501RvBB\n4SQkG5SHaKMTf5FpYr52C5B9bw7fh0KFXCDER6BD3sZCdv2Fz90yp37fwBBz60DhTrAcXetu6JSn\nFaB6GqtIg1G4ytQJnzcaOgq2YHeRaIuqzy5HuioQ9Dz32j4vUwNFD0rgF2/NaZAeVVK30XggB1+7\n+V2KpUPi2z9LZ/b5MktmdYdWLw+ShGSs4mUwESvWWPWo2ljAKm+01LmnwKEquVI/oXGLMiTFW6QP\nRLqKtTMHsJsEZsFueLGxoDaBKXTGvIYtjSQa9u3Wt1o2Ebaq+aNRDAHpoxU/4EEC4SotMyr2CFMW\nTxGDf589JBs8K02dJhfvFiBIiuAwpSS7+C3qGfnQKBXMGdyrZTrJfSwaSLKPy8VmWvChZF5l3oLF\nDR+I1G5fahDIFP1jcJJKIfX7sUvaouCLAZioR9t/q+BqzLmdxsslWIe4+vnQeSX55NA8EQIDAQAB\no0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU9AGt3fSrJxjZ\no44YJklXcyMv5pYwDQYJKoZIhvcNAQELBQADggIBAKFJzSBtwpBaRzXfuT0OLBz5tX9VHppuc8H7\nPmiv1NELAFa5Nwi0G/eQptB3etJzu8+gnH7SZoPaZjnqbLYgk4T1o1xrSKEwGJMqjD7PLsJqo8O1\n6fx6A8opH0hmh0qlvH3nSegjq/bmP8gKQTPHoCyAsbRGekUj7KdXqVsGYIClRVJEU49UK78a4aiI\nN/x0KMMY+dL8aZA3dKpqSqpkS/DWlNewiKe37/og2+pqYDZnCcd3N7IWThY+iFnuFQbOvsK+ipje\ndyzXt9dL3NSx/ZHT1L54ttL7LYfLKyk5yV63p+DONiVqppSnEZRMqXfJbWMFPjL73vEQpXFiq9CH\ntKTfmD+6YxjWuZ4BklF2Dry/2F7jXCd9HXp1wrm/sPg1Lr4SfU39kN1vZkVwWJGFOYXCInd7tpPn\nTjw6X2SK7VDaSH4WJAuSKtPzFSxoK1LWdLedv2OWkf/h3vJCQ3r3yBvHCoX4ghm6n8uYeXeDLjhI\np8KutuHENIr5ih+oq01mx9VEOaTVDDpiowB87LICFzyfuHVSB/nOZ+QoxCxXE7fZB+YpqP8aCyLb\nN7MCeVnOnAGzNlDiom1qgJxZIR/WUyXfQNEh4rLjI9w72rxw0aQG27+pM/4EYV3uem8J+i3OVTCL\n5BdmEo40rzK4JAYNsMUdgVlfDYbuGJOkfAJeDmq7\n—–END CERTIFICATE—–\n"
}

view raw
gistfile1.txt
hosted with ❤ by GitHub

To download secret

PS C:\>az keyvault secret download –name rootca –vault-name mykeyvault –file C:\test\retrieved.cer