Windows authentication of an application hosted in Windows Container

Microsoft recently provided a solution for containers accessing resources using domain credentials: group managed service accounts.

Although Windows Containers cannot be domain-joined, they can also take advantage of Active Directory domain identities similar to when a device is realm-joined. With Windows Server 2012 R2 domain controllers, we introduced a new domain account called a group Managed Service Account (gMSA) which was designed to be shared by services.

Additionally, here's a guide that walks through the specific steps in detail, covering the following:

Deploying containers with an emulated domain identity is simple, and based around existing workflows using Windows Server and Active Directory.

Deploying this feature requires:

• An existing Active Directory domain, running at Windows Server 2012 or later functional level
• Windows Server 2016 with the Container role and Docker installed. This will be referred to as a Container host. These hosts need to be joined to the domain.

This guide will cover the following steps to deploy a container in detail:

1. Create a group Managed Service Account in the Active Directory for each application/service
2. Give each container host access to use the group Managed Service Account
3. Add configuration files on each container host that store details about the group Managed Service Accounts. These will be referred to as Credential Specs
4. Start containers with a parameter telling which credential spec to use

Extract of the Windows Containers - Work in progress

"Containers cannot join Active Directory domains, and cannot run services or applications as domain users, service accounts, or machine accounts."