Below is walkthrough how to enable application pool identity in IIS to access SQL server running in separate container and on separate host with Integrated Windows Authentication.
Please follow my previous blog post here to setup your environment for integrated windows authentication.
My environment is consists of following:
- Active Directory Domain running on single domain controller called DC1 and called ad.local
- Host called IIS and SQL with windows containers feature installed
- The rest of setup is the same as in blog post mentioned above
All the scripts and docker related files are in github repo here
IIS dockerfile is called
It’s based off
microsot/iis image with addition of installation of ASP.NET and copying 2 files over which will be used to access SQL server running in container on separate host.
ENTRYPOINT is modifed to add
ad.local\Domain Admins group to local Administrators. I was surprised to find out that actual container actually considers itself a rightfull member of active directory domain and you can perform similar tasks you would expect on domain joined member server inside container.
For example you can use WMI straight up from host into running container using your logged on domain credentials to host. Example below showing me using my domain account
ad.local\gregoryto execute WMI against running Windows container which reports itself as domain joined member server with the name of
containerhostas you can see no
-credential parameter is needed to be specified.
|PS C:\Windows\system32> get-wmiobject -ComputerName 172.19.173.92 -Class win32_computersystem|
|Domain : ad.local|
|Manufacturer : Microsoft Corporation|
|Model : Virtual Machine|
|Name : CONTAINERHOST|
|TotalPhysicalMemory : 4105752576|
sql.aspx file container single line code which outputs information about what account is used to authenticate against remote SQL server and what is IP address of that server.
Image is available dockerhub if you don’t want to build it yourself and called artisticcheese/crosscontaineriis
SQL server is based off
microsoft/mssql-server-windows-developer image with modification done to ENTRYPOINT for the image to create and add
containerhost$ GMSA account to sysadmin role on server. It’s expessed in 2 lines added to ENTRYPOINT
invoke-sqlcmd -Query 'create login [ad\containerhost$] from windows' invoke-sqlcmd -Query 'ALTER SERVER ROLE sysadmin ADD MEMBER [ad\containerhost$]'
Setting up environment and results
Run container on IIS host
docker run -d --rm -p 80:80 -h containerhost --name iis --security-opt "credentialspec=file://win.json" artisticcheese/crosscontaineriis
docker run -d --rm -h containerhost --name sql -e sa_password=A123456! -e ACCEPT_EULA=Y --security-opt "credentialspec=file://win.json" artisticcheese/crosscontainersql