Active directory accounts inside a windows container (server 2016 TP5) - docker

So I have Windows Server 2016 TP5 and I'm playing around with the containers. I am able to do basic docker tasks fine. I'm trying to figure out how to containerize some of our IIS-hosted web applications.
Thing is, we usually use integrated authentication for the DB and use domain service accounts for the app pool. I currently don't have a test VM (that is in a domain) so I can't test if this will work inside a container.
If the host is joined to an AD domain, are its containers also part of the domain? Can I still run processes using domain accounts?
EDIT:
Also, if I specify the "USER" in the dockerfile, does this mean that my app pool will run using that (instead of the app pool identity)?

There are at least some scenarios where AD-integration in Docker container actually works:
You need to access network resources with AD credentials.
Run cmdkey /add:<network-resource-uri>[:port] /user:<ad-user> /pass:<pass> under local identity that needs this access
To apply the same trick to IIS apps without modifying AppPoolIdentity you'll need a simplest .ashx wrapper around cmdkey (Note: you'll have to call this wrapper in run-time, e.g.: during ENTRYPOINT, otherwise network credentials will be mapped to different local identity)
You need to run code under AD user
Impersonate using ADVAPI32 function LogonUser with LOGON32_LOGON_NEW_CREDENTIALS and LOGON32_PROVIDER_DEFAULT as suggested
You need transport layer network security, like when making RPC calls (e.g.: MSDTC) to an AD-based resources.
Set up gMSA by using any guide that suites you best. Note however, that gMSA requires Docker host to be in the domain.

Update: this answer is no longer relevant - was for 2016 TP5. AD support has been added in later releases
Original answer
Quick answer - no, containers are not supported as part of AD so you can't use AD accounts to run processes within a container or authenticate with it
This used to be mentioned on the MS Containers site but the original link now redirects.
Original wording (CTP 3 or 4?):
"Containers cannot join Active Directory domains, and cannot run services or applications as domain users, service accounts, or machine accounts."
I don't know if that will change in a later release.
Someone tried to hack around it but with no joy.

You can't join containers to a domain but if your app needs to authenticate then you can use managed service accounts. Saves you the hassle of having to deal with packaging passwords.
https://msdn.microsoft.com/en-us/virtualization/windowscontainers/management/manage_serviceaccounts

Related

One VPS, multiples services, different projects/domains

This is my first VPS, so I am pretty new to administrating my own box. I already have experience with a managed web server, registrars, DNS settings, etc. The basics. Now I'd like to take it a step further and manage my own VPS to run multiple services for different business and private projects.
So far I got an VPS from Contabo, updated the system, set up a new user with sudo rights, secured the root user, configured Ufw, installed Nginx with server blocks for two domains and created SSL certificates for one domain using Certbot.
Before I go on with setting up my VPS, I'd like to verify my approach for hosting multiple services for multiple domains makes sense and is a good way to go.
My goal is to host the following services on my VPS. Some of them will be used by all projects some only by a single one:
static website hosting
dynamic website hosting with a lightweight CMS
send and receive emails
Nextcloud/Owncloud
Ghost blog
My current approach is to run all services except for Nginx and the mail server with Docker. Using Nginx as proxy to the services encapsulated in Docker.
Is this an overkill or a valid way to go forward in order to keep the system nice and clean? Since I am new to all of this, I am unsure if I also could run all of the services without using Docker but still be able to serve the different projects on different domains without messing up the system.
Furthermore, I'd like to make sure, that access to the services and the stored data is properly separated between the different tenants (projects). And of course ideally the admin of the services is kind of manageable.

Azure Equivalent of Resource Group Local Host

I've had a little dig through azure documentation but couldn't find a definitive answer.
I have an app service and an azure db sitting in the same resource group, and I am finding the site takes a long time to connect and get responses back from the database only in the hosted environment.
Is it possible to specify a localhost equivalent as they are in the same resource group, and would this make things any quicker?
Resource Group does not have any impact on the connectivity or latency of the application and the database. It is just to group the Azure resources together based on a Project/Envrionment.
There is no equivalent for resourcegroup or even appservice unless if you want to run your application in IIS or any other server.
If you really want to see what is causing the connectivity issue, i will recommend you to monitor the request and response using Azure Monitor.
I think you need to understand the cloud concepts first before trying out anything.

IShellFolder with service application

I am using shellobj unit to list network shares with subfolders using IShellFolder interface but it doens't work in windows service application. Can some one advise a way to solve that problem
thanks
As David mentioned you have to make sure your service runs in the correct context. See this post here.
The logon account determines the security identity of the service at
run time, that is, the service's primary security context. The
security context determines the service's ability to access local and
network resources. For example, a service running in the security
context of a local user account cannot access network resources.

What Microsoft Azure should i use?

My company is about provide e-commercial website service and finding the best solution for deployment.
Our application is a multi-tenant e-commercial application. Once purchased, our customer has a website. The newly created website can be browsed by default subdomain on our domain (our domain is invishop.com) eg: mikeshop.invishop.com. The website also can be browsed by customer's custom domain. This requires to create CNAME record to our domain name (invishop.com). Our multi-tenant application is developed in ASP.NET MVC platform.
The simplest solution our considered is Windows hosting with Dedicated IP but this solution does not meet big users requirement. Our application will be used by up to 1000 or higher at a same time. If we deploy our service on shared ASP.NET hosting our service is always can not access. We want to run our application on higher availability Infrastructure but do not want to focus on building and managing Infrastructure. We only want to focus on develop our application and business.
So what service we should use ?
You can use Azure virtual machines for hosting. VMs are scalable and you can make availability set with other VMs. So, if is going down (update etc), the second will working. You can create virtual network and assign some VMs to it (Web server and database server). You can use backup services for each VM too.
You can make VM with dedicated IP - Be careful it is possible to configure ONLY before you make VM - you must use PowerShell.
Create dedicated IP via PowerShell (see on internet commands)
Create virtual network (not necessary)
create VM - web server and assign it to IP via PowerShell
create VM - SQL server
Configure server for IIS - it is possible to host multiple websites on one VM via host names (I use this). Add A record to your domain(xyz.com and www.xyz.com and your dedicated IP)

ServicePrincipleName setup for Web Service on IIS 7

I'm so confused.
Consider the following:
Active Directory environment with a domain called DOM
An IIS 7 box with a NetBIOS name VS1
A DNS record providing an alias for VS1 as pineapple.london.uk.corp
An Application Pool running as DOM\PineappleService
Windows Authentication enabled.
Clients use HttpWebRequest to call the XML/JSON ASP.NET services on the box.
The service calls out to workstations on the network to gather information. This works in development where I use IIS Express which runs as me, since IISX is just an .exe
In production, services work fine, authentication works, but invoking functions that cause the service (running as PineappleService) to access stuff on the network, fails.
I suspect an SPN registration issue but I don't know what SPNs to setup.
Most recently, I've stumbled across this article which seems to say fly in the face of some other articles:
http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx
Note that it says
The SPN requirements remain the same as above. You don't have to add
SPNs like http/ for the Domain1\Username1
unlike in IIS 6.0 (where we had to add an SPN of the form
http/ for the Application Pool identity).
So I don't know what's right anymore. I don't know if I need to register HTTP SPNs or HOST SPNs or use the DNS alias or the NetBIOS name, and set them on the PineappleService account or on the VS1 computer account.
I can't tell if when I try things that there's a slow AD replication issue that means I must wait an hour between trial and error.
It's all so complicated now. I've worked as a sysop and dev for 15 years and I sense the end of domains and workstations and rights and policies. It's all gotten too much.
Thanks for your help.
Luke
This is a cross-post with ServerFault which is getting no answers:
https://serverfault.com/questions/417483/serviceprinciplename-setup-for-web-service-on-iis-

Resources