Active directory accounts inside a windows container (server 2016 TP5)

So I have Windows Server 2016 TP5 and I’m playing around with the containers. I am able to do basic docker tasks fine. I’m trying to figure out how to containerize some of our IIS-hosted web applications.

Thing is, we usually use integrated authentication for the DB and use domain service accounts for the app pool. I currently don’t have a test VM (that is in a domain) so I can’t test if this will work inside a container.

  • Docker 5 beta4 kestrel doesn't keep container running
  • Pip is not installing packages on docker
  • Is there anyway to start rsyslogd without sudo access?
  • What is the runtime performance cost of a Docker container
  • Audit log for Docker
  • docker-compose swarm without docker-machine
  • If the host is joined to an AD domain, are its containers also part of the domain? Can I still run processes using domain accounts?

    Also, if I specify the “USER” in the dockerfile, does this mean that my app pool will run using that (instead of the app pool identity)?

  • Docker creates huge image sizes
  • phpMyAdmin inside docker container via nginx reverse proxy
  • HyperV is not available on Home editions
  • “cp: Command not found” when recreating and extending centos6-i386 Docker base image
  • Testing Mongo with Docker
  • Docker stack “--force-recreate” in swarm mode using compose file
  • 3 Solutions collect form web for “Active directory accounts inside a windows container (server 2016 TP5)”

    Quick answer – no, containers are not supported as part of AD so you can’t use AD accounts to run processes within a container or authenticate with it

    This used to be mentioned on the MS Containers site but the original link now redirects.

    Original wording (CTP 3 or 4?):
    “Containers cannot join Active Directory domains, and cannot run services or applications as domain users, service accounts, or machine accounts.”

    I don’t know if that will change in a later release.

    Someone tried to hack around it but with no joy.

    There are at least some scenarios where AD-integration in Docker container actually works:

    1. You need to access network resources with AD credentials.
      1. Run cmdkey /add:<network-resource-uri>[:port] /user:<ad-user> /pass:<pass> under local identity that needs this access
      2. To apply the same trick to IIS apps without modifying AppPoolIdentity you’ll need a simplest .ashx wrapper around cmdkey (Note: you’ll have to call this wrapper in run-time, e.g.: during ENTRYPOINT, otherwise network credentials will be mapped to different local identity)
    2. You need to run code under AD user
      1. Impersonate using ADVAPI32 function LogonUser with LOGON32_LOGON_NEW_CREDENTIALS and LOGON32_PROVIDER_DEFAULT as suggested
    3. You need transport layer network security, like when making RPC calls (e.g.: MSDTC) to an AD-based resources.
      1. Set up gMSA by using any guide that suites you best. Note however, that gMSA requires Docker host to be in the domain.

    You can’t join containers to a domain but if your app needs to authenticate then you can use managed service accounts. Saves you the hassle of having to deal with packaging passwords.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.