I'm trying to get a docker image to run our on-premise Service Fabric cluster.
We've setup a service fabric cluster on our on-premise network, which seems to run fine (it already runs 2 docker images). I'm looking for one of my containers to run under a domain user (Service Account), so I can reach SMB shares in my network (which have been granted permission to the service account).
I'm getting the following error:
Error event: SourceId='System.Hosting', Property='Activation:1.0'. There was an error during activation.Failed to setup ApplicationPrincipals. Error:ApplicationPrincipalAbortableError
Also shown as image: 
The container I'm trying to run: https://hub.docker.com/r/stefanscherer/registry-windows/
ApplicationManifest.xml
<?xml version="1.0" encoding="utf-8"?>
<ApplicationManifest ApplicationTypeName="[REMOVED].ServiceFabric.WindowsContainerRegistryType"
ApplicationTypeVersion="1.0.0"
xmlns="http://schemas.microsoft.com/2011/01/fabric"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Parameters>
<Parameter Name="WindowsContainerRegistry_InstanceCount" DefaultValue="-1" />
</Parameters>
<!-- Import the ServiceManifest from the ServicePackage. The ServiceManifestName and ServiceManifestVersion
should match the Name and Version attributes of the ServiceManifest element defined in the
ServiceManifest.xml file. -->
<ServiceManifestImport>
<ServiceManifestRef ServiceManifestName="WindowsContainerRegistryPkg" ServiceManifestVersion="1.0.0" />
<ConfigOverrides />
<Policies>
<ContainerHostPolicies CodePackageRef="Code">
<!-- See https://aka.ms/I7z0p9 for how to encrypt your repository password -->
<RepositoryCredentials AccountName="" Password="" PasswordEncrypted="false" />
<PortBinding ContainerPort="5000" EndpointRef="WindowsContainerRegistryTypeEndpoint" />
<Volume Source="\\[REMOVED]\ServiceFabricShare" Destination="C:\registry" IsReadOnly="false"></Volume>
</ContainerHostPolicies>
</Policies>
</ServiceManifestImport>
<DefaultServices>
<!-- The section below creates instances of service types, when an instance of this
application type is created. You can also create one or more instances of service type using the
ServiceFabric PowerShell module.
The attribute ServiceTypeName below must match the name defined in the imported ServiceManifest.xml file. -->
<Service Name="WindowsContainerRegistry" ServicePackageActivationMode="ExclusiveProcess">
<StatelessService ServiceTypeName="WindowsContainerRegistryType" InstanceCount="[WindowsContainerRegistry_InstanceCount]">
<SingletonPartition />
</StatelessService>
</Service>
</DefaultServices>
<Principals>
<Users>
<User Name="ServiceFabricAppl" AccountType="DomainUser" AccountName="[REMOVED]\appl_ServiceFabric" Password="[REMOVED]" PasswordEncrypted="false" />
</Users>
</Principals>
<Policies>
<DefaultRunAsPolicy UserRef="ServiceFabricAppl" />
</Policies>
</ApplicationManifest>
P. S. I'm working with an unencrypted password just for testing purposes to make sure this isn't the problem right now.
ServiceManifest.xml
<?xml version="1.0" encoding="utf-8"?>
<ServiceManifest Name="WindowsContainerRegistryPkg"
Version="1.0.0"
xmlns="http://schemas.microsoft.com/2011/01/fabric"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ServiceTypes>
<!-- This is the name of your ServiceType.
The UseImplicitHost attribute indicates this is a guest service. -->
<StatelessServiceType ServiceTypeName="WindowsContainerRegistryType" UseImplicitHost="true">
<Extensions>
<Extension Name="Traefik">
<Labels xmlns="http://schemas.microsoft.com/2015/03/fabact-no-schema">
<Label Key="traefik.frontend.rule">Host:registry.windows.containers.[REMOVED].com</Label>
<Label Key="traefik.enable">true</Label>
<Label Key="traefik.frontend.passHostHeader">true</Label>
<!--<Label Key="traefik.port">5000</Label>
<Label Key="traefik.protocol">http</Label>
<Label Key="traefik.frontend.entryPoints">http,https</Label>
<Label Key="traefik.frontend.headers.referrerPolicy">no-referrer</Label>-->
</Labels>
</Extension>
</Extensions>
</StatelessServiceType>
</ServiceTypes>
<!-- Code package is your service executable. -->
<CodePackage Name="Code" Version="1.0.0">
<EntryPoint>
<!-- Follow this link for more information about deploying Windows containers to Service Fabric: https://aka.ms/sfguestcontainers -->
<ContainerHost>
<ImageName>stefanscherer/registry-windows:2.6.2-2016</ImageName>
</ContainerHost>
</EntryPoint>
<!-- Pass environment variables to your container: -->
<!--
<EnvironmentVariables>
<EnvironmentVariable Name="VariableName" Value="VariableValue"/>
</EnvironmentVariables>
-->
</CodePackage>
<!-- Config package is the contents of the Config directoy under PackageRoot that contains an
independently-updateable and versioned set of custom configuration settings for your service. -->
<ConfigPackage Name="Config" Version="1.0.0" />
<Resources>
<Endpoints>
<!-- This endpoint is used by the communication listener to obtain the port on which to
listen. Please note that if your service is partitioned, this port is shared with
replicas of different partitions that are placed in your code. -->
<Endpoint Name="WindowsContainerRegistryTypeEndpoint" Port="5000" />
</Endpoints>
</Resources>
</ServiceManifest>
Sources:
- https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-run-service-as-ad-user-or-group
- Service fabric local cluster error (this one didn't offer any solution for me unfortunately)
