Docker authenication with Active Directory with Remote connected IIS
I have setup an IIS inside a container and I can use the host's IIS to connect to that "server".
Next step, I need to host a web application inside (I have successfully done it if the web is not related to AD)
The case is, our web applications need to be authenicated using our ad accounts and now, if I start the web inside the container, even I type the correct account + pw, it still gives me
401 - Unauthorized: Access is denied due to invalid credentials.
So... how to use AD inside a container?
As told by
https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/
I have came across gMSA
I logged in to the AD server and run:
New-ADServiceAccount -Name ABC -PrincipalsAllowedToRetrieveManagedPassword ABC-Servers –DNSHostName ABC.domain.com
I went to the server with Docker installed and run:
Import-Module ./CredentialSpec.psm1
New-CredentialSpec -Name ABC -AccountName ABC
start a new container with
--security-opt
and
ABC.json
But in the end, it still requires me to authenticate my-self and no matter what I typed, all 401...
btw, nltest /parentdomain shows me the ad server name
active-directory docker
asked Jan 16 at 8:31
NearNear
63
add a comment |
I have setup an IIS inside a container and I can use the host's IIS to connect to that "server".
Next step, I need to host a web application inside (I have successfully done it if the web is not related to AD)
The case is, our web applications need to be authenicated using our ad accounts and now, if I start the web inside the container, even I type the correct account + pw, it still gives me
401 - Unauthorized: Access is denied due to invalid credentials.
So... how to use AD inside a container?
As told by
https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/
I have came across gMSA
I logged in to the AD server and run:
New-ADServiceAccount -Name ABC -PrincipalsAllowedToRetrieveManagedPassword ABC-Servers –DNSHostName ABC.domain.com
I went to the server with Docker installed and run:
Import-Module ./CredentialSpec.psm1
New-CredentialSpec -Name ABC -AccountName ABC
start a new container with
--security-opt
and
ABC.json
But in the end, it still requires me to authenticate my-self and no matter what I typed, all 401...
btw, nltest /parentdomain shows me the ad server name
active-directory docker
asked Jan 16 at 8:31
NearNear
63
add a comment |
I have setup an IIS inside a container and I can use the host's IIS to connect to that "server".
Next step, I need to host a web application inside (I have successfully done it if the web is not related to AD)
The case is, our web applications need to be authenicated using our ad accounts and now, if I start the web inside the container, even I type the correct account + pw, it still gives me
401 - Unauthorized: Access is denied due to invalid credentials.
So... how to use AD inside a container?
As told by
https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/
I have came across gMSA
I logged in to the AD server and run:
New-ADServiceAccount -Name ABC -PrincipalsAllowedToRetrieveManagedPassword ABC-Servers –DNSHostName ABC.domain.com
I went to the server with Docker installed and run:
Import-Module ./CredentialSpec.psm1
New-CredentialSpec -Name ABC -AccountName ABC
start a new container with
--security-opt
and
ABC.json
But in the end, it still requires me to authenticate my-self and no matter what I typed, all 401...
btw, nltest /parentdomain shows me the ad server name
active-directory docker
asked Jan 16 at 8:31
NearNear
63
I have setup an IIS inside a container and I can use the host's IIS to connect to that "server".
Next step, I need to host a web application inside (I have successfully done it if the web is not related to AD)
The case is, our web applications need to be authenicated using our ad accounts and now, if I start the web inside the container, even I type the correct account + pw, it still gives me
401 - Unauthorized: Access is denied due to invalid credentials.
So... how to use AD inside a container?
As told by
https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/
I have came across gMSA
I logged in to the AD server and run:
New-ADServiceAccount -Name ABC -PrincipalsAllowedToRetrieveManagedPassword ABC-Servers –DNSHostName ABC.domain.com
I went to the server with Docker installed and run:
Import-Module ./CredentialSpec.psm1
New-CredentialSpec -Name ABC -AccountName ABC
start a new container with
--security-opt
and
ABC.json
But in the end, it still requires me to authenticate my-self and no matter what I typed, all 401...
btw, nltest /parentdomain shows me the ad server name
active-directory docker
active-directory docker
asked Jan 16 at 8:31
NearNear
63
asked Jan 16 at 8:31
NearNear
63
edited Jan 17 at 4:01
Near
asked Jan 16 at 8:31
NearNear
63
asked Jan 16 at 8:31
NearNear
63
asked Jan 16 at 8:31
NearNear
63
63
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I have solved it. I have missed the setspn and -h part
Part of this solution is related to these links:
https://blogs.msdn.microsoft.com/containerstuff/2017/07/31/getting-iis-win-auth-to-work-in-a-container/
https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/
The hostname of the host machine = abcHost (confirm by running hostname in cmd)
To have it done, firstly, as I mentioned:
1. Log in to the AD server and run:
New-ADServiceAccount -Name accountABC -PrincipalsAllowedToRetrieveManagedPassword ABC-Servers –DNSHostName abcHost.domain.com
- Go to the server with Docker installed (host machine) and run:
Import-Module ./CredentialSpec.psm1
New-CredentialSpec -Name accountABC -AccountName accountABC
So, we now have a service account : ABC
And the next step is to link the machine name with the service account, therefore run setspn in the ad server:
setspn -c -s HTTP/abcHost domianaccountABC
Afterthat, to have the container run with the service account, we need to add -h option in Docker run. together with the gMSA account created before, the command will be:
Docker run -it --name accountABC -h accountABC -v <a directory> --security-opt "credentialspec=file://accountABC.json" myImage
Then, for IIS application, that select that "server or container" in "Connections" Panel > Feature Delegration > set all "Authentication - SOMETHING" to Read/Write
Then it is done
answered Jan 17 at 7:54
NearNear
63
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1394847%2fdocker-authenication-with-active-directory-with-remote-connected-iis%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I have solved it. I have missed the setspn and -h part
Part of this solution is related to these links:
https://blogs.msdn.microsoft.com/containerstuff/2017/07/31/getting-iis-win-auth-to-work-in-a-container/
https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/
The hostname of the host machine = abcHost (confirm by running hostname in cmd)
To have it done, firstly, as I mentioned:
1. Log in to the AD server and run:
New-ADServiceAccount -Name accountABC -PrincipalsAllowedToRetrieveManagedPassword ABC-Servers –DNSHostName abcHost.domain.com
- Go to the server with Docker installed (host machine) and run:
Import-Module ./CredentialSpec.psm1
New-CredentialSpec -Name accountABC -AccountName accountABC
So, we now have a service account : ABC
And the next step is to link the machine name with the service account, therefore run setspn in the ad server:
setspn -c -s HTTP/abcHost domianaccountABC
Afterthat, to have the container run with the service account, we need to add -h option in Docker run. together with the gMSA account created before, the command will be:
Docker run -it --name accountABC -h accountABC -v <a directory> --security-opt "credentialspec=file://accountABC.json" myImage
Then, for IIS application, that select that "server or container" in "Connections" Panel > Feature Delegration > set all "Authentication - SOMETHING" to Read/Write
Then it is done
answered Jan 17 at 7:54
NearNear
63
add a comment |
I have solved it. I have missed the setspn and -h part
Part of this solution is related to these links:
https://blogs.msdn.microsoft.com/containerstuff/2017/07/31/getting-iis-win-auth-to-work-in-a-container/
https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/
The hostname of the host machine = abcHost (confirm by running hostname in cmd)
To have it done, firstly, as I mentioned:
1. Log in to the AD server and run:
New-ADServiceAccount -Name accountABC -PrincipalsAllowedToRetrieveManagedPassword ABC-Servers –DNSHostName abcHost.domain.com
- Go to the server with Docker installed (host machine) and run:
Import-Module ./CredentialSpec.psm1
New-CredentialSpec -Name accountABC -AccountName accountABC
So, we now have a service account : ABC
And the next step is to link the machine name with the service account, therefore run setspn in the ad server:
setspn -c -s HTTP/abcHost domianaccountABC
Afterthat, to have the container run with the service account, we need to add -h option in Docker run. together with the gMSA account created before, the command will be:
Docker run -it --name accountABC -h accountABC -v <a directory> --security-opt "credentialspec=file://accountABC.json" myImage
Then, for IIS application, that select that "server or container" in "Connections" Panel > Feature Delegration > set all "Authentication - SOMETHING" to Read/Write
Then it is done
answered Jan 17 at 7:54
NearNear
63
add a comment |
I have solved it. I have missed the setspn and -h part
Part of this solution is related to these links:
https://blogs.msdn.microsoft.com/containerstuff/2017/07/31/getting-iis-win-auth-to-work-in-a-container/
https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/
The hostname of the host machine = abcHost (confirm by running hostname in cmd)
To have it done, firstly, as I mentioned:
1. Log in to the AD server and run:
New-ADServiceAccount -Name accountABC -PrincipalsAllowedToRetrieveManagedPassword ABC-Servers –DNSHostName abcHost.domain.com
- Go to the server with Docker installed (host machine) and run:
Import-Module ./CredentialSpec.psm1
New-CredentialSpec -Name accountABC -AccountName accountABC
So, we now have a service account : ABC
And the next step is to link the machine name with the service account, therefore run setspn in the ad server:
setspn -c -s HTTP/abcHost domianaccountABC
Afterthat, to have the container run with the service account, we need to add -h option in Docker run. together with the gMSA account created before, the command will be:
Docker run -it --name accountABC -h accountABC -v <a directory> --security-opt "credentialspec=file://accountABC.json" myImage
Then, for IIS application, that select that "server or container" in "Connections" Panel > Feature Delegration > set all "Authentication - SOMETHING" to Read/Write
Then it is done
answered Jan 17 at 7:54
NearNear
63
I have solved it. I have missed the setspn and -h part
Part of this solution is related to these links:
https://blogs.msdn.microsoft.com/containerstuff/2017/07/31/getting-iis-win-auth-to-work-in-a-container/
https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/
The hostname of the host machine = abcHost (confirm by running hostname in cmd)
To have it done, firstly, as I mentioned:
1. Log in to the AD server and run:
New-ADServiceAccount -Name accountABC -PrincipalsAllowedToRetrieveManagedPassword ABC-Servers –DNSHostName abcHost.domain.com
- Go to the server with Docker installed (host machine) and run:
Import-Module ./CredentialSpec.psm1
New-CredentialSpec -Name accountABC -AccountName accountABC
So, we now have a service account : ABC
And the next step is to link the machine name with the service account, therefore run setspn in the ad server:
setspn -c -s HTTP/abcHost domianaccountABC
Afterthat, to have the container run with the service account, we need to add -h option in Docker run. together with the gMSA account created before, the command will be:
Docker run -it --name accountABC -h accountABC -v <a directory> --security-opt "credentialspec=file://accountABC.json" myImage
Then, for IIS application, that select that "server or container" in "Connections" Panel > Feature Delegration > set all "Authentication - SOMETHING" to Read/Write
Then it is done
answered Jan 17 at 7:54
NearNear
63
answered Jan 17 at 7:54
NearNear
63
answered Jan 17 at 7:54
NearNear
63
answered Jan 17 at 7:54
NearNear
63
63
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1394847%2fdocker-authenication-with-active-directory-with-remote-connected-iis%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
