Integrating Windows Authentication in Docker Container ASP.NET App

Creating a Group Managed Service Account (gMSA) is only one of the steps you need to take in order to get Windows Authentication to work with the container. You'll also need a Credential Spec, which contains information about the gMSA you create, and will be used by the container to swap the gMSA account for the built-in accounts (LocalSystem, NetworkService, ApplicationPoolIdentity) used by your application's app pool.

Really, the minimum set of steps would be:

1) Create an AD Group that you can use to add the machines that will be used to host your containers.

PS> New-ADGroup "Container Hosts" -GroupScope GlobalPS> $group = Get-ADGroup "Container Hosts"PS> $host = Get-ADComputer "mydockerhostmachine"PS> Add-ADGroupMember $group -Members $host

2) Create your gMSA account to be used for your app:

PS> New-ADServiceAccount -name myapp -DNSHostName myapp.mydomain.local -ServicePrincipalNames http/myapp.mydomain.local -PrincipalsAllowedToRetrieveManagedPassword "Container Hosts"

The value for PrincipalsAllowedToRetrieveManagePassword should be the name of the AD group you created in step 1.

3) Then, on each container host:

a. Install the Powershell Active Directory module and test to see that you're able to use the gMSA from the host:

PS> Add-WindowsFeature RSAT-AD-PowerShell    PS> Import-Module ActiveDirectory    PS> Install-AdServiceAccount myapp    PS> Test-AdServiceAccount myapp

b. Install the Credential Spec Powershell module and create a credential spec:

PS> Invoke-WebRequest https://raw.githubusercontent.com/Microsoft/Virtualization-Documentation/live/windows-server-container-tools/ServiceAccounts/CredentialSpec.psm1 -OutFile CredentialSpec.psm1PS> Import-Module .\CredentialSpec.psm1PS> New-CredentialSpec -Name myapp -AccountName myapp

c. Now, if everything was configured correctly, you can then run your container with this credential spec:

docker run --security-opt "credentialspec=file://myapp.json" -d -p80:80 -h myapp.mydomain.local [my-image-name:tag]

One thing to keep in mind with the above - make sure the Service Principal Name you use when creating the gMSA matches the hostname (-h argument) of the container. Otherwise, you'll have issues if your application uses Windows Authentication to access other domain resources or services (e.g., SQL Server). Also, if you are going to access other resources like SQL Server, make sure to also give the appropriate permissions to the gMSA account to those services.

Lastly, when creating your Dockerfile, don't try to assign the gMSA account directly to your app pool. Use one of the built-in accounts and let the engine swap out the account in the container for you. In other words, your app pool creation in your Dockerfile should look a little something like this:

RUN Import-Module WebAdministration; `    New-Item -Path IIS:\AppPools\MyAppPool; `    Set-ItemProperty -Path IIS:\AppPools\MyAppPool -Name managedRuntimeVersion -Value 'v4.0'; `    Set-ItemProperty -Path IIS:\AppPools\MyAppPool -Name processModel -value @{identitytype='ApplicationPoolIdentity'}