Windows authentication of an application hosted in Windows Container
Microsoft recently provided a solution for containers accessing resources using domain credentials: group managed service accounts.
Although Windows Containers cannot be domain-joined, they can also take advantage of Active Directory domain identities similar to when a device is realm-joined. With Windows Server 2012 R2 domain controllers, we introduced a new domain account called a group Managed Service Account (gMSA) which was designed to be shared by services.
Additionally, here's a guide that walks through the specific steps in detail, covering the following:
Deploying containers with an emulated domain identity is simple, and based around existing workflows using Windows Server and Active Directory.
Deploying this feature requires:
- An existing Active Directory domain, running at Windows Server 2012 or later functional level
- Windows Server 2016 with the Container role and Docker installed. This will be referred to as a Container host. These hosts need to be joined to the domain.
This guide will cover the following steps to deploy a container in detail:
- Create a group Managed Service Account in the Active Directory for each application/service
- Give each container host access to use the group Managed Service Account
- Add configuration files on each container host that store details about the group Managed Service Accounts. These will be referred to as Credential Specs
- Start containers with a parameter telling which credential spec to use
Extract of the Windows Containers - Work in progress
"Containers cannot join Active Directory domains, and cannot run services or applications as domain users, service accounts, or machine accounts."