Getting IIS Win Auth to Work in a Container


As you have no doubt figured out by now, containerization of IIS apps that use Windows Authentication to authenticate users is not as simple as referring to the gMSA of the app in the credentialspec of the Docker Run command. Two new things are needed: 1) association of the Service Principal Name with the gMSA and, 2) setting the hostname of the container to the name of the gMSA.

tldr version:

Assuming you have a gMSA named redmond\adonconnt1 and a container host named markw2016cont5.redmond.corp.microsoft.com

1) Use Setspn like this :

setspn -c -s HTTP/markw2016cont5 redmond\adoncontt1
setspn -c -s HTTP/markw2016cont5.redmond.corp.microsoft.com redmond\adoncontt1

2) Add the -h param to the docker run command like this:

docker run -it --name winautht1 -h adoncontt1 -p 81:80 -v c:\shared:c:\shared --security-opt "credentialspec=file://adoncontt1.json" microsoft/windowsservercore:latest

* It is mandatory that the argument for the -h parameter in the docker run command (in this example 'adoncontt1') be exactly the name of the gMSA (in this example 'adoncontt1').

Full version:

I'll get to this in a day or two 🙂


Comments (1)

  1. How this is going to work in any orchestration tool (swarm, kubernetes etc)?

Skip to main content