As you have no doubt figured out by now, containerization of IIS apps that use Windows Authentication to authenticate users is not as simple as referring to the gMSA of the app in the credentialspec of the Docker Run command. Two new things are needed: 1) association of the Service Principal Name with the gMSA and, 2) setting the hostname of the container to the name of the gMSA.
Assuming you have a gMSA named redmond\adonconnt1 and a container host named markw2016cont5.redmond.corp.microsoft.com
1) Use Setspn like this :
setspn -c -s HTTP/markw2016cont5 redmond\adoncontt1
setspn -c -s HTTP/markw2016cont5.redmond.corp.microsoft.com redmond\adoncontt1
2) Add the -h param to the docker run command like this:
docker run -it --name winautht1 -h adoncontt1 -p 81:80 -v c:\shared:c:\shared --security-opt "credentialspec=file://adoncontt1.json" microsoft/windowsservercore:latest
* It is mandatory that the argument for the -h parameter in the docker run command (in this example 'adoncontt1') be exactly the name of the gMSA (in this example 'adoncontt1').
I'll get to this in a day or two 🙂