ASP.NET Core kestrel windows authentication in docker identifies wrong user
I managed to make it work using traefik TLS passthrough. So I had to change the application to serve https itself instead of having traefik do SSL termination. My application's compose file now looks like this:
docker-compose.yml
version: "3.7"services: webapplication: image: <repository>/webapplication:8-1 environment: - ASPNETCORE_Kestrel__Certificates__Default__Path=wildcard_certificate.pfx networks: webapplication-network: aliases: - webapplication traefik: aliases: - traefik-webapplication credential_spec: file: webapp({GMSA_ACCOUNT})_credential.json secrets: - source: config_secrets target: C:/app/appsettings.json - source: wildcard_certificate_pfx target: c:\certificates\wildcard_certificate.pfx deploy: mode: replicated replicas: 1 restart_policy: condition: on-failure delay: 5s max_attempts: 10 window: 30s labels: - applicatienaam=({APPLICATIENAAM}) - "traefik.enable=true" - "traefik.http.routers.({APPLICATIENAAM})-webapplication.rule=Host(`({APPLICATIENAAM})-webapplication.({DOMAIN})`)" - "traefik.http.routers.({APPLICATIENAAM})-webapplication.entrypoints=https" - "traefik.http.routers.({APPLICATIENAAM})-webapplication.tls=true" - "traefik.http.services.({APPLICATIENAAM})-webapplication.loadbalancer.server.scheme=https" - "traefik.http.services.({APPLICATIENAAM})-webapplication.loadbalancer.server.port=443" # Windows authentication works through TCP # TLS passtrough, because otherwise windows authentication won't support multiple users - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.tls=true" - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.tls.options=default" - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.tls.passthrough=true" - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.rule=HostSNI(`({APPLICATIENAAM})-webapplication.({DOMAIN})`)" - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.entrypoints=https" - "traefik.tcp.services.({APPLICATIENAAM})-webapplication.loadbalancer.server.port=443"
I think the first user that logs in is bound to the traefik connection, so all next users will use the first users session, but I don't know for sure. All I know is that the solution above prevents mixing up user sessions.
I also had to make a change to my dockerfile to make serving https from the container work, because of a WindowsCryptographicException bug.
# escape=`##### Runtime #####ARG baseImageVersieARG buildNumberARG releaseFROM <repository>/webapplication-build:$release-$buildNumber AS buildtoolsFROM webapplication-windows-netcore-base:$baseImageVersie ENV DOTNET_RUNNING_IN_CONTAINER=true# The copy is done, because wildcard_certificate.pfx is put into the container using docker secrets, which makes it a symlink. # Reading a certificate as a symlink is not supported at this moment: https://stackoverflow.com/q/43955181/1608705# After doing a copy, the copied version is not a symlink anymore.ENTRYPOINT (IF EXIST "c:\certificates\wildcard_certificate.pfx" (copy c:\certificates\wildcard_certificate.pfx c:\app\wildcard_certificate.pfx)) && dotnet webapplication.dllCOPY --from=buildtools C:/publish .