Quickly grant access to a user group when starting a NAV container

19. February 2018

Quickly grant access to a user group when starting a NAV container

As we use Docker containers internally to quickly spin up environments for reproducing bugs, delivering fixes on older releases or quickly test our application, we needed a way to easily grant access to a specific Active Directory user group. When starting a container, we want the following actions to be taken:

Luckily, the official Docker image for NAV makes customization very easy and we can just override the AdditionalSetup.ps1-script and run our custom scripts. You can find these scripts in Tobias’ GitHub repository.

The setupDevDbAccess.ps1-script just adds a SQL user for the domain user group to the local database if it not already exists. The domain and group name are taken from the environment variables DevDomain and DevGroup.

The script setupDevNavUsers.ps1 uses the ActiveDirectory PowerShell module and therefore installs the corresponding Windows feature. Afterwards it retrieves every single user of the group specified in DevGroup, checks if it already has a NAV user and if not, creates it.

Note that the container needs access to the Active Directory domain for this to work. This can be achieved with the use of gMSAs. Jakub Vanak provided a script in his repository, which shows how to easily create a gMSA.

With the gMSA set up and the use of the folders feature we can start a container with the custom scripts:

docker run --rm -e accept_eula=y -e auth=Windows --network MyTransparentNetwork --security-opt "credentialspec=file://releaseX.json" --name releaseX --hostname releaseX -e folders="c:\run\my=\nav-docker-samples-grant-user-access" -e DevDomain=SUPER-COMPANY -e DevGroup=ALL_DEVS microsoft/dynamics-nav:2017-cu14

Docker uses the CredentialSpec to run the container with the specified gMSA. To access the domain, the container connects via a transparent network. While the container starts, the custom scripts are downloaded from the GitHub repository and the users are created.

This way, we can easily grant access to a user group in a couple of seconds while starting the NAV container. Awesome!

Leave a Reply

Your email address will not be published. Required fields are marked *