0 0 Share PDF

Windows Container using gMSA with Interlock on Docker EE

Article ID: KB000986

Issue

Unable to connect to Windows container running IIS, configured for NTLM authorization and .Net framework applications using gMSA for integrated Windows authentication through Interlock.

Accessing the application on a browser using a URL passed as the host label value (com.docker.lb.hosts) repeatedly prompts for user credentials without completing authentication, and eventually displays an 'access denied' page.

Resolution

Note: this solution is intended for Docker EE running Interlock and must be attempted from the client bundle or a manager node on a Windows host. It is not intended to be run on a standalone node.

Enable SSL Pass through and add HTTPS support inside the Windows app container.

Steps taken:

  1. Set target port 443.
   --publish target=443,mode=host,protocol=tcp \
  1. Set com.docker.lb.ssl_passthrough=true and com.docker.lb.port=443

    Docker service command should look like:

   docker service create \
   --name app-gmsa \
   --credential-spec file://<cred-spec file name> \
   --hostname <windows app URL e.g., app.example.org > \
   --publish target=443,mode=host,protocol=tcp \
   --endpoint-mode dnsrr \
   --label com.docker.lb.hosts=<windows app URL e.g., app.example.org> \
   --label com.docker.lb.port=443 \
   --label com.docker.lb.ssl_passthrough=true \
   <Image Path>
  1. Once the service is up and running, install a certificate. For this example, if you do not have a certificate issued by a CA, you can create a self-signed certificate by using the following steps.

    You must pass a -DnsName value in the following script. It should have the same value as label com.docker.lb.hosts, for example, app.example.org.

   Import-module webadministration
   cd cert:
   $cert = New-SelfSignedCertificate -DnsName app.example.org -Friendlyname MyCert -CertStoreLocation Cert:\LocalMachine\My
   $rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store -ArgumentList Root, LocalMachine
   $rootStore.Open("MaxAllowed")
   $rootStore.Add($cert)
   $rootStore.Close()

   cd iis:
   new-item -path IIS:\SslBindings\0.0.0.0!443 -value $cert
   New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https

You should see the following response after executing the previous script inside the container:

   IP Address          Port    Host name        Store           Sites
   ----------          ----    ---------        -----           -----
   0.0.0.0             443                      My

Refresh the https web page. It should now be accessible. Note that you may get a security certificate warning even though the certificate has been added to the trusted root. This is because it is a self-issued certificate, which, unlike commercially available certificates, is not countersigned by a trusted authority.

Security certificate warning