4

I'm working on getting an aspnet core app running in docker using gMSA. I've created a security group, created a gMSA, and created a credentials spec file using this article - https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/gmsa-run-container

I'm using Integrated Security for SQL Server. Don't have a choice on this.

I'm starting my container with this command:

docker run --security-opt "credentialspec=file://mydomain_mygmsa.json" --hostname mygmsa -e ASPNETCORE_ENVIRONMENT=Development -p 5000:80 -d --user "NT AUTHORITY\NETWORK SERVICE" my-image

This is my docker build file:

WORKDIR /app

WORKDIR /src
COPY . .

WORKDIR /src/MyProject/
RUN dotnet publish -c Release -o /app

FROM mcr.microsoft.com/dotnet/core/aspnet:3.1 as final

WORKDIR /app
COPY --from=base /app .
ENTRYPOINT ["dotnet", "MyProject.dll"]

When I try to hit sql server, I get this error:

Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

Any ideas?

mccow002
  • 6,754
  • 3
  • 26
  • 36
  • Hi @mccow002, I'm encountering this issue now. Were you able to make progress? I was able to get things working separately using a Windows Server Core image with IIS enabled. – Coding101 Apr 07 '20 at 18:22
  • Not yet certain if this is the solution, but checking to see if changing `TrustedForDelegation` on the service account to True will solve the issue. Got the idea reading here: https://pisquare.osisoft.com/community/developers-club/blog/2018/09/17/container-kerberos-double-hop – Coding101 Apr 07 '20 at 21:12

0 Answers0