Solutions
Markets
References
Services
Company
Quickly grant access to a user group when starting a NAV container

Quickly grant access to a user group when starting a NAV container

19. February 2018

Quickly grant access to a user group when starting a NAV container

As we use Docker containers internally to quickly spin up environments for reproducing bugs, delivering fixes on older releases or quickly test our application, we needed a way to easily grant access to a specific Active Directory user group. When starting a container, we want the following actions to be taken:

Luckily, the official Docker image for NAV makes customization very easy and we can just override the AdditionalSetup.ps1-script and run our custom scripts. You can find these scripts in Tobias’ GitHub repository.

The setupDevDbAccess.ps1-script just adds a SQL user for the domain user group to the local database if it not already exists. The domain and group name are taken from the environment variables DevDomain and DevGroup.

The script setupDevNavUsers.ps1 uses the ActiveDirectory PowerShell module and therefore installs the corresponding Windows feature. Afterwards it retrieves every single user of the group specified in DevGroup, checks if it already has a NAV user and if not, creates it.

Note that the container needs access to the Active Directory domain for this to work. This can be achieved with the use of gMSAs. Jakub Vanak provided a script in his repository, which shows how to easily create a gMSA.

With the gMSA set up and the use of the folders feature we can start a container with the custom scripts:

docker run --rm -e accept_eula=y -e auth=Windows --network MyTransparentNetwork --security-opt "credentialspec=file://releaseX.json" --name releaseX --hostname releaseX -e folders="c:\run\my=https://github.com/tfenster/nav-docker-samples/archive/grant-user-access.zip\nav-docker-samples-grant-user-access" -e DevDomain=SUPER-COMPANY -e DevGroup=ALL_DEVS microsoft/dynamics-nav:2017-cu14

Docker uses the CredentialSpec to run the container with the specified gMSA. To access the domain, the container connects via a transparent network. While the container starts, the custom scripts are downloaded from the GitHub repository and the users are created.

This way, we can easily grant access to a user group in a couple of seconds while starting the NAV container. Awesome!


4 Kommentare zu “Quickly grant access to a user group when starting a NAV container”

  1. Hello Markus
    I am building similar system for our company’s internal use. Your blog has been inspiration to me, and it is just great that you share your knowledge with others struggling with same problems.
    I have managed to implement this system so far that I should run the docker image, but then I cannot find the structure or information what should be included in credentialspec file.
    Can you elaborate this a bit?

  2. Hello Urpo,

    great that the blog helps you. Did you have a look at Jakub’s script (https://github.com/Koubek/nav-docker-examples/blob/master/gmsa/New-gMSA.ps1) I mentioned? You basically just need to run e.g.

    New-gMSA -HostNames @(‘YourContainerHostName’) -SecGroupPath ‘OU=mygMSAs,DC=mydomain,DC=com’ -PrincipalsAllowedToRetrieveManagedPassword @(‘DockerGMSAGroup’)

    For the script to work the user who runs the script must have the rights to create gMSAs in the specified ActiveDirectory OU. Also the AD PowerShell tools must be installed first (Add-WindowsFeature rsat-ad-powershell) and the Docker host must be member of the group specified in the last parameter to have access to the created gMSA.

    The script automatically creates the credentialspec file in C:\ProgramData\docker\credentialspecs\YourContainerHostName.json so that it can be used in the docker run command with –security-opt “credentialspec=file://YourContainerHostName.json”

    If your’re still struggling, feel free to contact me via Twitter or LinkedIn.

  3. Hi Tobias,
    thankyou very much for your post.
    I would like to use the AD authentication to spin up a nav container and make it usable from all developers group of my domain.
    Actually I use a script to create a dockerized sql db, and another one to run bc container with navuserpassword:
    https://github.com/Pellic/nav-docker/blob/master/generic/Pellic/CreateDockerizedSqlAndAttachDbFiles.ps1
    https://github.com/Pellic/nav-docker/blob/master/generic/Pellic/BCOnPremContainerWithSQLDockerizedDB_.ps1

    Do you have any suggestion to make it possible?
    Thanks in advance for the support

  4. Hi Pellic,

    you’re missing the parameters for adding the custom scripts as well as the gMSA (for the container to have access to your domain):
    –security-opt “credentialspec=file://$ContainerName.json” –hostname $ContainerName -e folders=”c:\run\my=https://github.com/tfenster/nav-docker-samples/archive/grant-user-access.zip\nav-docker-samples-grant-user-access” -e DevDomain=SUPER-COMPANY -e DevGroup=ALL_DEVS

    The name of the gMSA, the hostname and container name must be identical. You can create the gMSA with the script of Jakub (which also creates the JSON file): https://github.com/Koubek/nav-docker-examples/blob/master/gmsa/New-gMSA.ps1

    You should be able to add those Parameters to your $additionalParameters in your BCOnPremContainerWithSQLDockerizedDB_.ps1 script.


Leave a Reply

Your email address will not be published. Required fields are marked *