Unable to connect to Windows container running IIS and configured for NTLM auth and .Net framework app using gMSA for integrated Windows authentication through Interlock. Accessing the application on a browser using a URL passed as the host label value (com.docker.lb.hosts) repeatedly prompts for user credentials without completing authentication, and eventually displays an 'access denied' page.
Enable SSL Pass through and add HTTPS support inside the windows app container.
- Set target port 443.
--publish target=443,mode=host,protocol=tcp \
Docker service command should look like:
docker service create \ --name app-gmsa \ --credential-spec file://<cred-spec file name> \ --hostname <windows app URL e.g., app.example.org > \ --publish target=443,mode=host,protocol=tcp \ --endpoint-mode dnsrr \ --label com.docker.lb.hosts=<windows app URL e.g., app.example.org> \ --label com.docker.lb.port=443 \ --label com.docker.lb.ssl_passthrough=true \ <Image Path>
Once the service is up and running, install a certificate. For this example, if you do not have a certificate issued by a CA, you can create a self-signed certificate by using the following steps.
You must pass a
-DnsNamevalue in the following script. It should have the same value as label
com.docker.lb.hosts, for example,
Import-module webadministration cd cert: $cert = New-SelfSignedCertificate -DnsName app.example.org -Friendlyname MyCert -CertStoreLocation Cert:\LocalMachine\My $rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store -ArgumentList Root, LocalMachine $rootStore.Open("MaxAllowed") $rootStore.Add($cert) $rootStore.Close() cd iis: new-item -path IIS:\SslBindings\0.0.0.0!443 -value $cert New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https
You should see the following response after executing the previous script inside the container:
IP Address Port Host name Store Sites ---------- ---- --------- ----- ----- 0.0.0.0 443 My
Refresh the https web page. It should now be accessible. Note that you may get a security certificate warning even though the certificate has been added to the trusted root. This is because it is a self-issued certificate, which, unlike commercially available certificates, is not countersigned by a trusted authority.