Unable to connect to Windows container running IIS, configured for NTLM authorization and .Net framework applications using gMSA for integrated Windows authentication through Interlock.
Accessing the application on a browser using a URL passed as the host label value (com.docker.lb.hosts) repeatedly prompts for user credentials without completing authentication, and eventually displays an 'access denied' page.
Note: this solution is intended for Docker EE running Interlock and must be attempted from the client bundle or a manager node on a Windows host. It is not intended to be run on a standalone node.
Enable SSL Pass through and add HTTPS support inside the Windows app container.
- Set target port 443.
--publish target=443,mode=host,protocol=tcp \
Docker service command should look like:
docker service create \ --name app-gmsa \ --credential-spec file://<cred-spec file name> \ --hostname <windows app URL e.g., app.example.org > \ --publish target=443,mode=host,protocol=tcp \ --endpoint-mode dnsrr \ --label com.docker.lb.hosts=<windows app URL e.g., app.example.org> \ --label com.docker.lb.port=443 \ --label com.docker.lb.ssl_passthrough=true \ <Image Path>
Once the service is up and running, install a certificate. For this example, if you do not have a certificate issued by a CA, you can create a self-signed certificate by using the following steps.
You must pass a
-DnsNamevalue in the following script. It should have the same value as label
com.docker.lb.hosts, for example,
Import-module webadministration cd cert: $cert = New-SelfSignedCertificate -DnsName app.example.org -Friendlyname MyCert -CertStoreLocation Cert:\LocalMachine\My $rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store -ArgumentList Root, LocalMachine $rootStore.Open("MaxAllowed") $rootStore.Add($cert) $rootStore.Close() cd iis: new-item -path IIS:\SslBindings\0.0.0.0!443 -value $cert New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https
You should see the following response after executing the previous script inside the container:
IP Address Port Host name Store Sites ---------- ---- --------- ----- ----- 0.0.0.0 443 My
Refresh the https web page. It should now be accessible. Note that you may get a security certificate warning even though the certificate has been added to the trusted root. This is because it is a self-issued certificate, which, unlike commercially available certificates, is not countersigned by a trusted authority.