At DockerCon Europe 2018, Israel Vega from Microsoft and Steven Follis from Docker (@steven_follis) had a session called “Avoiding an identity crisis” talking about Windows / Active Directory authentication for containers. A really good introduction and also a lot of interesting information if you are already working with win auth in containers. For example I was fully convinced that delegation is not working, but that is just wrong (fortunately). So as soon as the recordings appear, I would suggest to watch that session. At the same time user PleachiM opened an issue in the GitHub repo of nav-docker stating that win auth against Azure Active Directory Domain Services (AAD DS) does work, which was only quickly covered in the DockerCon session, so I decided to give it a try
It works1.
Ok, maybe a bit more detail: If you setup AAD DS and make sure that the VM hosting your container is in the right virtual network and subnet, you can then create gMSAs and use them in your containers to get win auth. Through that setup you can also verify that for win auth with Windows Server 2019, the gMSA name and the container hostname no longer need to be identical.
As Israel and Steven did a very good job explaining (almost) everything happening in my walkthrough, I won’t try to replicate that and instead just point you to the recording. I will only highlight things specific to my setup. Here are the steps2:
Install-WindowsFeature RSAT-ADDS New-ADOrganizationalUnit -Name "gMSAs" -Path "DC=ARSSOLVENDI,DC=ONMICROSOFT,DC=COM" #Create a group to hold the container hosts $containerHostName = "test19-1" $containerHostGroupName = "ContainerHosts" $containerHostGroupDisplayName = "Windows Container Hosts" New-ADGroup -GroupCategory Security -Path "OU=gMSAs,DC=ARSSOLVENDI,DC=ONMICROSOFT,DC=COM" -Name $containerHostGroupName -DisplayName $containerHostGroupDisplayName -GroupScope Universal #Add the container host machines to the group Add-ADGroupMember -Members (Get-ADComputer -Identity $containerHostName) -Identity $containerHostGroupName #reboot Get-ADGroup -Identity $containerHostGroupName
With that we are set up and can create the gMSA. Again, I am very creatively naming it “gmsa” but of course you can also change that. In the next part we create the gMSA, install and test it and then download the credential spec module which is in turn used to create the credential spec file. If you are not sure what is happening here, please watch the recording
$gmsaAccount = "gmsa" $gmsaAccountFQDN = "gmsa@arssolvendi.onmicrosoft.com" $containerHostGroupLdapCN = "CN=ContainerHosts,OU=gMSAs,DC=ARSSOLVENDI,DC=ONMICROSOFT,DC=COM" New-ADServiceAccount -Name $gmsaAccount -DNSHostName $gmsaAccountFQDN ` -PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers", "Domain Admins", $containerHostGroupLdapCN ` -KerberosEncryptionType RC4, AES128, AES256 ` -ServicePrincipalNames HTTP/$gmsaAccount, HTTP/$gmsaAccountFQDN Install-ADServiceAccount -Identity $gmsaAccount Test-ADServiceAccount -Identity $gmsaAccount Invoke-WebRequest "https://raw.githubusercontent.com/Microsoft/Virtualization-Documentation/live/windows-server-container-tools/ServiceAccounts/CredentialSpec.psm1" -UseBasicParsing -OutFile $env:TEMP\cred.psm1 Import-Module $env:temp\cred.psm1 New-CredentialSpec -Name "$gmsaAccount-gmsa" -AccountName $gmsaAccount -Domain $(Get-ADDomain -Current LocalComputer) Get-CredentialSpec
docker run --security-opt "credentialspec=file://gmsa-gmsa.json" -ti --rm mcr.microsoft.com/windows/servercore:1809 Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved C:\>nltest /parentdomain arssolvendi.onmicrosoft.com. (1) The command completed successfully C:\>nltest /query Flags: 0 Connection Status = 0 0x0 NERR_Success The command completed successfully
# Add it to the container hosts group Install-WindowsFeature RSAT-ADDS $containerHostName = "test19-2" $containerHostGroupName = "ContainerHosts" Add-ADGroupMember -Members (Get-ADComputer -Identity $containerHostName) -Identity $containerHostGroupName
$gmsaAccount = "gmsa" Install-ADServiceAccount -Identity $gmsaAccount Test-ADServiceAccount -Identity $gmsaAccount Invoke-WebRequest "https://raw.githubusercontent.com/Microsoft/Virtualization-Documentation/live/windows-server-container-tools/ServiceAccounts/CredentialSpec.psm1" -UseBasicParsing -OutFile $env:TEMP\cred.psm1 Import-Module $env:temp\cred.psm1 New-CredentialSpec -Name "$gmsaAccount-gmsa" -AccountName $gmsaAccount -Domain $(Get-ADDomain -Current LocalComputer) Get-CredentialSpec
docker run --security-opt "credentialspec=file://gmsa-gmsa.json" -ti --rm mcr.microsoft.com/windows/servercore:1809 Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved. C:\>nltest /parentdomain arssolvendi.onmicrosoft.com. (1) The command completed successfully C:\>nltest /query Flags: 0 Connection Status = 0 0x0 NERR_Success The command completed successfully
With that you should be able to use Kerberos and NTLM based authentication for users in the AAD DS. In a followup post I will show how to use this with NAV / BC.