在Docker Container ASP.NET App中集成Windows身份验证 [英] Integrating Windows Authentication in Docker Container ASP.NET App

问题描述

我已经从microsoft/aspnet存储库创建了一个容器. 我想在IIS中将ASP.NET 4.x Web应用容器化，从而能够获得访问该站点的登录用户.我希望能够利用集成的Windows身份验证，因为这是一个内部应用程序.

I've created a container from the microsoft/aspnet repository. I want to containerize an ASP.NET 4.x web app within IIS in which I'm able to obtain the logged in user accessing the site. I want to be able to leverage the integrated Windows authentication since this is an internal application.

我已经为容器主机创建了一个透明的网络.

I've created a transparent network to the container host.

此外，我还在容器内的IIS上设置了Windows身份验证.我已经读过有关在容器主机上创建组托管服务帐户的信息，但是我还没有做到这一点，并且不确定是否足够，否则我将不得不采取进一步的措施.

In addition, I've setup Windows authentication on the IIS within the container. I've read about creating a Group Managed Service Account on the container host but I've not done this yet and not sure if this is enough or I'd have to take further steps.

推荐答案

创建组托管服务帐户(gMSA)仅是获取Windows身份验证以与容器一起使用所需采取的步骤之一.您还需要一个凭据规范，其中包含有关您创建的gMSA的信息，并将由容器用于将gMSA帐户交换为应用程序的应用程序池使用的内置帐户(LocalSystem，NetworkService，ApplicationPoolIdentity).

Creating a Group Managed Service Account (gMSA) is only one of the steps you need to take in order to get Windows Authentication to work with the container. You'll also need a Credential Spec, which contains information about the gMSA you create, and will be used by the container to swap the gMSA account for the built-in accounts (LocalSystem, NetworkService, ApplicationPoolIdentity) used by your application's app pool.

真的，最少的步骤是:

1)创建一个AD组，可用于添加将用于承载容器的计算机.

1) Create an AD Group that you can use to add the machines that will be used to host your containers.

PS> New-ADGroup "Container Hosts" -GroupScope Global
PS> $group = Get-ADGroup "Container Hosts"
PS> $host = Get-ADComputer "mydockerhostmachine"
PS> Add-ADGroupMember $group -Members $host

2)创建要用于您的应用的gMSA帐户:

2) Create your gMSA account to be used for your app:

PS> New-ADServiceAccount -name myapp -DNSHostName myapp.mydomain.local -ServicePrincipalNames http/myapp.mydomain.local -PrincipalsAllowedToRetrieveManagedPassword "Container Hosts"

PrincipalsAllowedToRetrieveManagePassword的值应为您在步骤1中创建的AD组的名称.

The value for PrincipalsAllowedToRetrieveManagePassword should be the name of the AD group you created in step 1.

3)然后，在每个容器主机上:

3) Then, on each container host:

a.安装Powershell Active Directory模块并测试以确保您能够从主机使用gMSA:

a. Install the Powershell Active Directory module and test to see that you're able to use the gMSA from the host:

PS> Add-WindowsFeature RSAT-AD-PowerShell    
PS> Import-Module ActiveDirectory    
PS> Install-AdServiceAccount myapp    
PS> Test-AdServiceAccount myapp

b.安装凭据规范Powershell模块并创建凭据规范:

b. Install the Credential Spec Powershell module and create a credential spec:

PS> Invoke-WebRequest https://raw.githubusercontent.com/Microsoft/Virtualization-Documentation/live/windows-server-container-tools/ServiceAccounts/CredentialSpec.psm1 -OutFile CredentialSpec.psm1
PS> Import-Module .\CredentialSpec.psm1
PS> New-CredentialSpec -Name myapp -AccountName myapp

c.现在，如果一切配置正确，则可以使用以下凭据规范运行容器:

c. Now, if everything was configured correctly, you can then run your container with this credential spec:

docker run --security-opt "credentialspec=file://myapp.json" -d -p
80:80 -h myapp.mydomain.local [my-image-name:tag]

请牢记上述几点-确保创建gMSA时使用的服务主体名称与容器的主机名(-h参数)匹配.否则，如果您的应用程序使用Windows身份验证来访问其他域资源或服务(例如SQL Server)，则会遇到问题.另外，如果您要访问其他资源(例如SQL Server)，请确保还向gMSA帐户授予适当的权限给那些服务.

One thing to keep in mind with the above - make sure the Service Principal Name you use when creating the gMSA matches the hostname (-h argument) of the container. Otherwise, you'll have issues if your application uses Windows Authentication to access other domain resources or services (e.g., SQL Server). Also, if you are going to access other resources like SQL Server, make sure to also give the appropriate permissions to the gMSA account to those services.

最后，在创建Dockerfile时，请勿尝试将gMSA帐户直接分配给您的应用程序池.使用内置帐户之一，然后让引擎为您换出容器中的帐户.换句话说，在Dockerfile中创建的应用程序池应该看起来像这样:

Lastly, when creating your Dockerfile, don't try to assign the gMSA account directly to your app pool. Use one of the built-in accounts and let the engine swap out the account in the container for you. In other words, your app pool creation in your Dockerfile should look a little something like this:

RUN Import-Module WebAdministration; `
    New-Item -Path IIS:\AppPools\MyAppPool; `
    Set-ItemProperty -Path IIS:\AppPools\MyAppPool -Name managedRuntimeVersion -Value 'v4.0'; `
    Set-ItemProperty -Path IIS:\AppPools\MyAppPool -Name processModel -value @{identitytype='ApplicationPoolIdentity'}

这篇关于在Docker Container ASP.NET App中集成Windows身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！