Solutions
Markets
References
Services
Company
Profile
Partners
Press
Contact
19. February 2018
Quickly grant access to a user group when starting a NAV container
As we use Docker containers internally to quickly spin up environments for reproducing bugs, delivering fixes on older releases or quickly test our application, we needed a way to easily grant access to a specific Active Directory user group. When starting a container, we want the following actions to be taken:
- Create NAV user and permission set for each user within the given domain user group
- Create SQL user for the given user group to allow access via development environment
Luckily, the official Docker image for NAV makes customization very easy and we can just override the AdditionalSetup.ps1-script and run our custom scripts. You can find these scripts in Tobias’ GitHub repository.
The setupDevDbAccess.ps1-script just adds a SQL user for the domain user group to the local database if it not already exists. The domain and group name are taken from the environment variables DevDomain and DevGroup.
The script setupDevNavUsers.ps1 uses the ActiveDirectory PowerShell module and therefore installs the corresponding Windows feature. Afterwards it retrieves every single user of the group specified in DevGroup, checks if it already has a NAV user and if not, creates it.
Note that the container needs access to the Active Directory domain for this to work. This can be achieved with the use of gMSAs. Jakub Vanak provided a script in his repository, which shows how to easily create a gMSA.
With the gMSA set up and the use of the folders feature we can start a container with the custom scripts:
docker run --rm -e accept_eula=y -e auth=Windows --network MyTransparentNetwork --security-opt "credentialspec=file://releaseX.json" --name releaseX --hostname releaseX -e folders="c:\run\my=https://github.com/tfenster/nav-docker-samples/archive/grant-user-access.zip\nav-docker-samples-grant-user-access" -e DevDomain=SUPER-COMPANY -e DevGroup=ALL_DEVS microsoft/dynamics-nav:2017-cu14
Docker uses the CredentialSpec to run the container with the specified gMSA. To access the domain, the container connects via a transparent network. While the container starts, the custom scripts are downloaded from the GitHub repository and the users are created.
This way, we can easily grant access to a user group in a couple of seconds while starting the NAV container. Awesome!
RSS Feed
4 Kommentare zu “Quickly grant access to a user group when starting a NAV container”
Leave a Reply
You must be logged in to post a comment.
Contact
Contact
Follow us
Hello Markus
I am building similar system for our company’s internal use. Your blog has been inspiration to me, and it is just great that you share your knowledge with others struggling with same problems.
I have managed to implement this system so far that I should run the docker image, but then I cannot find the structure or information what should be included in credentialspec file.
Can you elaborate this a bit?
Hello Urpo,
great that the blog helps you. Did you have a look at Jakub’s script (https://github.com/Koubek/nav-docker-examples/blob/master/gmsa/New-gMSA.ps1) I mentioned? You basically just need to run e.g.
New-gMSA -HostNames @(‘YourContainerHostName’) -SecGroupPath ‘OU=mygMSAs,DC=mydomain,DC=com’ -PrincipalsAllowedToRetrieveManagedPassword @(‘DockerGMSAGroup’)
For the script to work the user who runs the script must have the rights to create gMSAs in the specified ActiveDirectory OU. Also the AD PowerShell tools must be installed first (Add-WindowsFeature rsat-ad-powershell) and the Docker host must be member of the group specified in the last parameter to have access to the created gMSA.
The script automatically creates the credentialspec file in C:\ProgramData\docker\credentialspecs\YourContainerHostName.json so that it can be used in the docker run command with –security-opt “credentialspec=file://YourContainerHostName.json”
If your’re still struggling, feel free to contact me via Twitter or LinkedIn.
Hi Tobias,
thankyou very much for your post.
I would like to use the AD authentication to spin up a nav container and make it usable from all developers group of my domain.
Actually I use a script to create a dockerized sql db, and another one to run bc container with navuserpassword:
https://github.com/Pellic/nav-docker/blob/master/generic/Pellic/CreateDockerizedSqlAndAttachDbFiles.ps1
https://github.com/Pellic/nav-docker/blob/master/generic/Pellic/BCOnPremContainerWithSQLDockerizedDB_.ps1
Do you have any suggestion to make it possible?
Thanks in advance for the support
Hi Pellic,
you’re missing the parameters for adding the custom scripts as well as the gMSA (for the container to have access to your domain):
–security-opt “credentialspec=file://$ContainerName.json” –hostname $ContainerName -e folders=”c:\run\my=https://github.com/tfenster/nav-docker-samples/archive/grant-user-access.zip\nav-docker-samples-grant-user-access” -e DevDomain=SUPER-COMPANY -e DevGroup=ALL_DEVS
The name of the gMSA, the hostname and container name must be identical. You can create the gMSA with the script of Jakub (which also creates the JSON file): https://github.com/Koubek/nav-docker-examples/blob/master/gmsa/New-gMSA.ps1
You should be able to add those Parameters to your $additionalParameters in your BCOnPremContainerWithSQLDockerizedDB_.ps1 script.