Integrating Windows Authentication in Docker Container ASP.NET App

Question

I've created a container from the microsoft/aspnet repository. I want to containerize an ASP.NET 4.x web app within IIS in which I'm able to obtain the logged in user accessing the site. I want to be able to leverage the integrated Windows authentication since this is an internal application.

I've created a transparent network to the container host.

In addition, I've setup Windows authentication on the IIS within the container. I've read about creating a Group Managed Service Account on the container host but I've not done this yet and not sure if this is enough or I'd have to take further steps.

Answer 1

Creating a Group Managed Service Account (gMSA) is only one of the steps you need to take in order to get Windows Authentication to work with the container. You'll also need a Credential Spec, which contains information about the gMSA you create, and will be used by the container to swap the gMSA account for the built-in accounts (LocalSystem, NetworkService, ApplicationPoolIdentity) used by your application's app pool.

Really, the minimum set of steps would be:

1) Create an AD Group that you can use to add the machines that will be used to host your containers.

PS> New-ADGroup "Container Hosts" -GroupScope Global
PS> $group = Get-ADGroup "Container Hosts"
PS> $host = Get-ADComputer "mydockerhostmachine"
PS> Add-ADGroupMember $group -Members $host

2) Create your gMSA account to be used for your app:

PS> New-ADServiceAccount -name myapp -DNSHostName myapp.mydomain.local -ServicePrincipalNames http/myapp.mydomain.local -PrincipalsAllowedToRetrieveManagedPassword "Container Hosts"

The value for PrincipalsAllowedToRetrieveManagePassword should be the name of the AD group you created in step 1.

3) Then, on each container host:

a. Install the Powershell Active Directory module and test to see that you're able to use the gMSA from the host:

PS> Add-WindowsFeature RSAT-AD-PowerShell    
PS> Import-Module ActiveDirectory    
PS> Install-AdServiceAccount myapp    
PS> Test-AdServiceAccount myapp

b. Install the Credential Spec Powershell module and create a credential spec:

PS> Invoke-WebRequest https://raw.githubusercontent.com/Microsoft/Virtualization-Documentation/live/windows-server-container-tools/ServiceAccounts/CredentialSpec.psm1 -OutFile CredentialSpec.psm1
PS> Import-Module .\CredentialSpec.psm1
PS> New-CredentialSpec -Name myapp -AccountName myapp

c. Now, if everything was configured correctly, you can then run your container with this credential spec:

docker run --security-opt "credentialspec=file://myapp.json" -d -p
80:80 -h myapp.mydomain.local [my-image-name:tag]

One thing to keep in mind with the above - make sure the Service Principal Name you use when creating the gMSA matches the hostname (-h argument) of the container. Otherwise, you'll have issues if your application uses Windows Authentication to access other domain resources or services (eg, SQL Server). Also, if you are going to access other resources like SQL Server, make sure to also give the appropriate permissions to the gMSA account to those services.

Lastly, when creating your Dockerfile, don't try to assign the gMSA account directly to your app pool. Use one of the built-in accounts and let the engine swap out the account in the container for you. In other words, your app pool creation in your Dockerfile should look a little something like this:

RUN Import-Module WebAdministration; `
    New-Item -Path IIS:\AppPools\MyAppPool; `
    Set-ItemProperty -Path IIS:\AppPools\MyAppPool -Name managedRuntimeVersion -Value 'v4.0'; `
    Set-ItemProperty -Path IIS:\AppPools\MyAppPool -Name processModel -value @{identitytype='ApplicationPoolIdentity'}