1

We have the following setup in our infrastructure:

  • ASP.NET Core service running in a Windows container/pod running in Kubernetes on a domain-joined Windows host (we have tested with both nano and server-core images)
  • Followed the documentation on K8s for configuring gMSA for Windows containers/pods for domain-joined Windows hosts
  • SQL Server running on a separate domain-joined Windows host - SQL service is running under a different domain account

We have configured the gMSA account with SQL Server and with the target database and we can use the gMSA account to login into this database and do all operations except with the one DB that has the one table with a FILESTREAM column. On that table, any attempt to access the FILESTREAM data via the C# SqlFileStream results in a System.ComponentModel.Win32Exception (53): The network path was not found.

I have found no documentation or articles or anything else around this specific use case. So can someone shed light on whether this is even supported, and what do I need to do to set this up correctly?

Himanshu Swami
  • 41
  • 5
  • There is no way of knowing for sure without debugging, but it sounds like the client code is creating the path to where the file stream is stored, but it doesn't have the right permissions. The file stream is not stored in the database file, it's stored somewhere in the NTFS file system on the server. I believe that only the SQL Server account has permission to access those files. Try logging into the database as sa and see if your error goes away. – BillRuhl Jul 06 '22 at 21:50
  • SQL FILESTREAM requires Windows authentication as per MS docs so sa login will not work at all by design. The gMSA account can access the NTFS file system on the server - we can access the actual NTFS file share from within the container. The path SQL server wants us to use is a virtualized SMB share handled by SQL Server and that is denying access to the gMSA account. I already know all this - my question was is this supported or not? Do you have any concrete documentation you can point me to? – Himanshu Swami Jul 06 '22 at 22:25
  • Before going down this path, you do know you can access the data as a VARBINARY(MAX) with the TSQL API https://learn.microsoft.com/en-us/sql/relational-databases/blob/filestream-sql-server?view=sql-server-ver16#transact-sql-access instead of the Win32 File API, right? And why are you connecting with a gMSA, is it the IIS App Domain identity? Have you tested with other Windows identities? And SQL Server is _not_ running in a container, right? – David Browne - Microsoft Jul 06 '22 at 23:38
  • [dup on MS Q&A](https://learn.microsoft.com/en-us/answers/questions/917214/how-to-make-kubernetes-containerpod-running-as-gms.html) – SMor Jul 07 '22 at 00:13
  • I added question to MS Q&A in hopes of getting a MS support agent ... that was suggested as the only way available to create a ticket with MS. Using TSQL instead of Win32 for accessing FILESTREAM data is not recommended for large files - and my use case is for large files. We are using gMSA because this is an ASP.NET Core web app running in a container as a console app - so no IIS just Kestrel - and the container and domain-joined host are configured to use gMSA because it is impractical to domain-join the container. Also, SQL Server is _not_ running in a container. – Himanshu Swami Jul 07 '22 at 11:28

0 Answers0