ASP.NET Core kestrel windows authentication in docker identifies wrong user

I managed to make it work using traefik TLS passthrough. So I had to change the application to serve https itself instead of having traefik do SSL termination. My application's compose file now looks like this:

docker-compose.yml

version: "3.7"services:  webapplication:    image: <repository>/webapplication:8-1    environment:      - ASPNETCORE_Kestrel__Certificates__Default__Path=wildcard_certificate.pfx    networks:      webapplication-network:        aliases:          - webapplication      traefik:              aliases:          - traefik-webapplication    credential_spec:        file: webapp({GMSA_ACCOUNT})_credential.json    secrets:      - source: config_secrets        target: C:/app/appsettings.json      - source: wildcard_certificate_pfx        target: c:\certificates\wildcard_certificate.pfx    deploy:      mode: replicated      replicas: 1      restart_policy:        condition: on-failure        delay: 5s        max_attempts: 10        window: 30s      labels:         - applicatienaam=({APPLICATIENAAM})        - "traefik.enable=true"        - "traefik.http.routers.({APPLICATIENAAM})-webapplication.rule=Host(`({APPLICATIENAAM})-webapplication.({DOMAIN})`)"        - "traefik.http.routers.({APPLICATIENAAM})-webapplication.entrypoints=https"        - "traefik.http.routers.({APPLICATIENAAM})-webapplication.tls=true"        - "traefik.http.services.({APPLICATIENAAM})-webapplication.loadbalancer.server.scheme=https"        - "traefik.http.services.({APPLICATIENAAM})-webapplication.loadbalancer.server.port=443"        # Windows authentication works through TCP        # TLS passtrough, because otherwise windows authentication won't support multiple users        - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.tls=true"        - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.tls.options=default"        - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.tls.passthrough=true"        - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.rule=HostSNI(`({APPLICATIENAAM})-webapplication.({DOMAIN})`)"        - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.entrypoints=https"        - "traefik.tcp.services.({APPLICATIENAAM})-webapplication.loadbalancer.server.port=443"

I think the first user that logs in is bound to the traefik connection, so all next users will use the first users session, but I don't know for sure. All I know is that the solution above prevents mixing up user sessions.

I also had to make a change to my dockerfile to make serving https from the container work, because of a WindowsCryptographicException bug.

# escape=`##### Runtime #####ARG baseImageVersieARG buildNumberARG releaseFROM <repository>/webapplication-build:$release-$buildNumber AS buildtoolsFROM webapplication-windows-netcore-base:$baseImageVersie ENV DOTNET_RUNNING_IN_CONTAINER=true# The copy is done, because wildcard_certificate.pfx is put into the container using docker secrets, which makes it a symlink. # Reading a certificate as a symlink is not supported at this moment: https://stackoverflow.com/q/43955181/1608705# After doing a copy, the copied version is not a symlink anymore.ENTRYPOINT (IF EXIST "c:\certificates\wildcard_certificate.pfx" (copy c:\certificates\wildcard_certificate.pfx c:\app\wildcard_certificate.pfx)) && dotnet webapplication.dllCOPY --from=buildtools C:/publish .