Docker authenication with Active Directory with Remote connected IIS












1















I have setup an IIS inside a container and I can use the host's IIS to connect to that "server".



Next step, I need to host a web application inside (I have successfully done it if the web is not related to AD)



The case is, our web applications need to be authenicated using our ad accounts and now, if I start the web inside the container, even I type the correct account + pw, it still gives me




401 - Unauthorized: Access is denied due to invalid credentials.




So... how to use AD inside a container?



As told by
https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/



I have came across gMSA





  1. I logged in to the AD server and run:



    New-ADServiceAccount -Name ABC -PrincipalsAllowedToRetrieveManagedPassword ABC-Servers –DNSHostName ABC.domain.com



  2. I went to the server with Docker installed and run:



    Import-Module ./CredentialSpec.psm1
    New-CredentialSpec -Name ABC -AccountName ABC



  3. start a new container with



    --security-opt 



and



    ABC.json


But in the end, it still requires me to authenticate my-self and no matter what I typed, all 401...



btw, nltest /parentdomain shows me the ad server name










share|improve this question





























    1















    I have setup an IIS inside a container and I can use the host's IIS to connect to that "server".



    Next step, I need to host a web application inside (I have successfully done it if the web is not related to AD)



    The case is, our web applications need to be authenicated using our ad accounts and now, if I start the web inside the container, even I type the correct account + pw, it still gives me




    401 - Unauthorized: Access is denied due to invalid credentials.




    So... how to use AD inside a container?



    As told by
    https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/



    I have came across gMSA





    1. I logged in to the AD server and run:



      New-ADServiceAccount -Name ABC -PrincipalsAllowedToRetrieveManagedPassword ABC-Servers –DNSHostName ABC.domain.com



    2. I went to the server with Docker installed and run:



      Import-Module ./CredentialSpec.psm1
      New-CredentialSpec -Name ABC -AccountName ABC



    3. start a new container with



      --security-opt 



    and



        ABC.json


    But in the end, it still requires me to authenticate my-self and no matter what I typed, all 401...



    btw, nltest /parentdomain shows me the ad server name










    share|improve this question



























      1












      1








      1








      I have setup an IIS inside a container and I can use the host's IIS to connect to that "server".



      Next step, I need to host a web application inside (I have successfully done it if the web is not related to AD)



      The case is, our web applications need to be authenicated using our ad accounts and now, if I start the web inside the container, even I type the correct account + pw, it still gives me




      401 - Unauthorized: Access is denied due to invalid credentials.




      So... how to use AD inside a container?



      As told by
      https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/



      I have came across gMSA





      1. I logged in to the AD server and run:



        New-ADServiceAccount -Name ABC -PrincipalsAllowedToRetrieveManagedPassword ABC-Servers –DNSHostName ABC.domain.com



      2. I went to the server with Docker installed and run:



        Import-Module ./CredentialSpec.psm1
        New-CredentialSpec -Name ABC -AccountName ABC



      3. start a new container with



        --security-opt 



      and



          ABC.json


      But in the end, it still requires me to authenticate my-self and no matter what I typed, all 401...



      btw, nltest /parentdomain shows me the ad server name










      share|improve this question
















      I have setup an IIS inside a container and I can use the host's IIS to connect to that "server".



      Next step, I need to host a web application inside (I have successfully done it if the web is not related to AD)



      The case is, our web applications need to be authenicated using our ad accounts and now, if I start the web inside the container, even I type the correct account + pw, it still gives me




      401 - Unauthorized: Access is denied due to invalid credentials.




      So... how to use AD inside a container?



      As told by
      https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/



      I have came across gMSA





      1. I logged in to the AD server and run:



        New-ADServiceAccount -Name ABC -PrincipalsAllowedToRetrieveManagedPassword ABC-Servers –DNSHostName ABC.domain.com



      2. I went to the server with Docker installed and run:



        Import-Module ./CredentialSpec.psm1
        New-CredentialSpec -Name ABC -AccountName ABC



      3. start a new container with



        --security-opt 



      and



          ABC.json


      But in the end, it still requires me to authenticate my-self and no matter what I typed, all 401...



      btw, nltest /parentdomain shows me the ad server name







      active-directory docker






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 17 at 4:01







      Near

















      asked Jan 16 at 8:31









      NearNear

      63




      63






















          1 Answer
          1






          active

          oldest

          votes


















          0














          I have solved it. I have missed the setspn and -h part



          Part of this solution is related to these links:
          https://blogs.msdn.microsoft.com/containerstuff/2017/07/31/getting-iis-win-auth-to-work-in-a-container/



          https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/



          The hostname of the host machine = abcHost (confirm by running hostname in cmd)



          To have it done, firstly, as I mentioned:
          1. Log in to the AD server and run:



          New-ADServiceAccount -Name accountABC -PrincipalsAllowedToRetrieveManagedPassword ABC-Servers –DNSHostName abcHost.domain.com



          1. Go to the server with Docker installed (host machine) and run:
            Import-Module ./CredentialSpec.psm1
            New-CredentialSpec -Name accountABC -AccountName accountABC


          So, we now have a service account : ABC
          And the next step is to link the machine name with the service account, therefore run setspn in the ad server:



          setspn -c -s HTTP/abcHost domianaccountABC


          Afterthat, to have the container run with the service account, we need to add -h option in Docker run. together with the gMSA account created before, the command will be:



          Docker run -it --name accountABC -h accountABC -v <a directory> --security-opt "credentialspec=file://accountABC.json" myImage


          Then, for IIS application, that select that "server or container" in "Connections" Panel > Feature Delegration > set all "Authentication - SOMETHING" to Read/Write



          Then it is done






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1394847%2fdocker-authenication-with-active-directory-with-remote-connected-iis%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            I have solved it. I have missed the setspn and -h part



            Part of this solution is related to these links:
            https://blogs.msdn.microsoft.com/containerstuff/2017/07/31/getting-iis-win-auth-to-work-in-a-container/



            https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/



            The hostname of the host machine = abcHost (confirm by running hostname in cmd)



            To have it done, firstly, as I mentioned:
            1. Log in to the AD server and run:



            New-ADServiceAccount -Name accountABC -PrincipalsAllowedToRetrieveManagedPassword ABC-Servers –DNSHostName abcHost.domain.com



            1. Go to the server with Docker installed (host machine) and run:
              Import-Module ./CredentialSpec.psm1
              New-CredentialSpec -Name accountABC -AccountName accountABC


            So, we now have a service account : ABC
            And the next step is to link the machine name with the service account, therefore run setspn in the ad server:



            setspn -c -s HTTP/abcHost domianaccountABC


            Afterthat, to have the container run with the service account, we need to add -h option in Docker run. together with the gMSA account created before, the command will be:



            Docker run -it --name accountABC -h accountABC -v <a directory> --security-opt "credentialspec=file://accountABC.json" myImage


            Then, for IIS application, that select that "server or container" in "Connections" Panel > Feature Delegration > set all "Authentication - SOMETHING" to Read/Write



            Then it is done






            share|improve this answer




























              0














              I have solved it. I have missed the setspn and -h part



              Part of this solution is related to these links:
              https://blogs.msdn.microsoft.com/containerstuff/2017/07/31/getting-iis-win-auth-to-work-in-a-container/



              https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/



              The hostname of the host machine = abcHost (confirm by running hostname in cmd)



              To have it done, firstly, as I mentioned:
              1. Log in to the AD server and run:



              New-ADServiceAccount -Name accountABC -PrincipalsAllowedToRetrieveManagedPassword ABC-Servers –DNSHostName abcHost.domain.com



              1. Go to the server with Docker installed (host machine) and run:
                Import-Module ./CredentialSpec.psm1
                New-CredentialSpec -Name accountABC -AccountName accountABC


              So, we now have a service account : ABC
              And the next step is to link the machine name with the service account, therefore run setspn in the ad server:



              setspn -c -s HTTP/abcHost domianaccountABC


              Afterthat, to have the container run with the service account, we need to add -h option in Docker run. together with the gMSA account created before, the command will be:



              Docker run -it --name accountABC -h accountABC -v <a directory> --security-opt "credentialspec=file://accountABC.json" myImage


              Then, for IIS application, that select that "server or container" in "Connections" Panel > Feature Delegration > set all "Authentication - SOMETHING" to Read/Write



              Then it is done






              share|improve this answer


























                0












                0








                0







                I have solved it. I have missed the setspn and -h part



                Part of this solution is related to these links:
                https://blogs.msdn.microsoft.com/containerstuff/2017/07/31/getting-iis-win-auth-to-work-in-a-container/



                https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/



                The hostname of the host machine = abcHost (confirm by running hostname in cmd)



                To have it done, firstly, as I mentioned:
                1. Log in to the AD server and run:



                New-ADServiceAccount -Name accountABC -PrincipalsAllowedToRetrieveManagedPassword ABC-Servers –DNSHostName abcHost.domain.com



                1. Go to the server with Docker installed (host machine) and run:
                  Import-Module ./CredentialSpec.psm1
                  New-CredentialSpec -Name accountABC -AccountName accountABC


                So, we now have a service account : ABC
                And the next step is to link the machine name with the service account, therefore run setspn in the ad server:



                setspn -c -s HTTP/abcHost domianaccountABC


                Afterthat, to have the container run with the service account, we need to add -h option in Docker run. together with the gMSA account created before, the command will be:



                Docker run -it --name accountABC -h accountABC -v <a directory> --security-opt "credentialspec=file://accountABC.json" myImage


                Then, for IIS application, that select that "server or container" in "Connections" Panel > Feature Delegration > set all "Authentication - SOMETHING" to Read/Write



                Then it is done






                share|improve this answer













                I have solved it. I have missed the setspn and -h part



                Part of this solution is related to these links:
                https://blogs.msdn.microsoft.com/containerstuff/2017/07/31/getting-iis-win-auth-to-work-in-a-container/



                https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/



                The hostname of the host machine = abcHost (confirm by running hostname in cmd)



                To have it done, firstly, as I mentioned:
                1. Log in to the AD server and run:



                New-ADServiceAccount -Name accountABC -PrincipalsAllowedToRetrieveManagedPassword ABC-Servers –DNSHostName abcHost.domain.com



                1. Go to the server with Docker installed (host machine) and run:
                  Import-Module ./CredentialSpec.psm1
                  New-CredentialSpec -Name accountABC -AccountName accountABC


                So, we now have a service account : ABC
                And the next step is to link the machine name with the service account, therefore run setspn in the ad server:



                setspn -c -s HTTP/abcHost domianaccountABC


                Afterthat, to have the container run with the service account, we need to add -h option in Docker run. together with the gMSA account created before, the command will be:



                Docker run -it --name accountABC -h accountABC -v <a directory> --security-opt "credentialspec=file://accountABC.json" myImage


                Then, for IIS application, that select that "server or container" in "Connections" Panel > Feature Delegration > set all "Authentication - SOMETHING" to Read/Write



                Then it is done







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Jan 17 at 7:54









                NearNear

                63




                63






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Super User!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1394847%2fdocker-authenication-with-active-directory-with-remote-connected-iis%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Probability when a professor distributes a quiz and homework assignment to a class of n students.

                    Aardman Animations

                    Are they similar matrix