Below is overview of steps required to use integrated Windows Authentication in ASP.NET core application inside nanoserver container.
Completion of this instructions will allow you to run nanoserver container in windows AD environment and authenticate users based on their Windows desktop credentials or externally by providing Windows username/password to AD environment. This setup also RBAC access using Windows Groups as explained below.
Entire project with source code located on following github repo (https://github.com/artisticcheese/ContainerWindowsAuth)
High level overview of steps required to complete this scenario
- Complete first 7 steps in following article (Enabling integrated Windows Authentication in windows docker container)
- Build docker container based off github repo above
- Launch docker container in AD environment with GMSA account (step 8 in Enabling integrated Windows Authentication in windows docker container)
Completion steps 1-7 from following article Enabling integrated Windows Authentication in windows docker container will prepare your AD environment to host windows container with integrated windows authentication.
Add following snippet to
startup.cs of your .NET core project which will enabled integrated windows authentication to be used in .NET core
.UseIISIntegration() to your
BuildWebHost method of
HomeController has just 2 methods below.
Windows requires authentication and allows only members
Users allow only
Domain Users group and
Anonymousis allowing to be accessed without authentication
So accessing URL on your running container at
http://container/home/windows will require authentication and
http://container/home/anonymous is allowed to be accessed without authentication.
Multistage build is used to build .NET core project and put in resulting container along with all neccessary prerequisites (IIS and ASP.NET core). For detailed instructions you can read in this article (Using multistage docker build to create IIS + ASP.NET Core image + nanoserver).
Dockerfile for entire project is below. It shall be pretty self explanatory.
Building final image puts together container image consisting of 3 intermediate images used to:
- Build ASP.NET core project
- Copy ASP.NET executables to final image
- Install ASP.NET IIS module to servercore image and copy it over to final image
Once image is built you can deploy to production container host which was prepared earlier in step 1 above.
Launch docker image with following parameters
docker run -d -h containerhost --security-opt "credentialspec=file://win.json" -p 88:80 artisticcheese/winauth:nano-iis
Parameters specify which GMSA account is being used to authenticate to AD and location of JSON file with details.
http://containerhost:88/Home/Windows on container host from domain joined client will automatically log you with current user credentials with no prompt like below. While accessing
http://containerhost:88/Home/Anonymous will allow you to access it without username/password.
Accessing with user account which is not part of
Domain Admins will return HTTP 403 on
/home/windows as expected but will succeed on
See screenshots below. If you don’t want to automatically log in with default credentials you can access page via IP address which will prevent IE/Chrome from using them.
http://192.168.1.235:88/Home/Windows, please note that your authentication switches to NTLM instead of Kerberos authentication in such case.