0 0 Share PDF

Windows Container using gMSA with Interlock on Docker EE

Article ID: KB000986

Issue

Unable to connect to Windows container running IIS and configured for NTLM auth and .Net framework app using gMSA for integrated Windows authentication through Interlock. Accessing the application on a browser using a URL passed as the host label value (com.docker.lb.hosts) repeatedly prompts for user credentials without completing authentication, and eventually displays an 'access denied' page.

Resolution

Enable SSL Pass through and add HTTPS support inside the windows app container.

Steps taken:

  1. Set target port 443.
   --publish target=443,mode=host,protocol=tcp \
  1. Set com.docker.lb.ssl_passthrough=true and com.docker.lb.port=443

    Docker service command should look like:

   docker service create \
   --name app-gmsa \
   --credential-spec file://<cred-spec file name> \
   --hostname <windows app URL e.g., app.example.org > \
   --publish target=443,mode=host,protocol=tcp \
   --endpoint-mode dnsrr \
   --label com.docker.lb.hosts=<windows app URL e.g., app.example.org> \
   --label com.docker.lb.port=443 \
   --label com.docker.lb.ssl_passthrough=true \
   <Image Path>
  1. Once the service is up and running, install a certificate. For this example, if you do not have a certificate issued by a CA, you can create a self-signed certificate by using the following steps.

    You must pass a -DnsName value in the following script. It should have the same value as label com.docker.lb.hosts, for example, app.example.org.

   Import-module webadministration
   cd cert:
   $cert = New-SelfSignedCertificate -DnsName app.example.org -Friendlyname MyCert -CertStoreLocation Cert:\LocalMachine\My
   $rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store -ArgumentList Root, LocalMachine
   $rootStore.Open("MaxAllowed")
   $rootStore.Add($cert)
   $rootStore.Close()

   cd iis:
   new-item -path IIS:\SslBindings\0.0.0.0!443 -value $cert
   New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https

You should see the following response after executing the previous script inside the container:

   IP Address          Port    Host name        Store           Sites
   ----------          ----    ---------        -----           -----
   0.0.0.0             443                      My

Refresh the https web page. It should now be accessible. Note that you may get a security certificate warning even though the certificate has been added to the trusted root. This is because it is a self-issued certificate, which, unlike commercially available certificates, is not countersigned by a trusted authority.

Security certificate warning