none
Domain account to connect to SQL Server from a Windows Container RRS feed

  • Question

  • Hi,

    I have a web application that I want to run in a container. This web application connects to a SQL server database hosted in another server in our organization. To connect to it only AD domain accounts can be used (i.e Windows Integrated Auth). Is this possible from inside a container? I mean, the container itself is not domain joined (not supported in containers) so how shoud it be able to use Windows Integrated Auth? It is the same when the application connects to a Webshphere MQ queue manager. Here a domain account must also be used.


    TR

    Thursday, November 3, 2016 12:16 PM

Answers

  • There is an example on the documentation related how to run AD account in a container that may help.

    https://msdn.microsoft.com/en-us/virtualization/windowscontainers/management/manage_serviceaccounts

    • Proposed as answer by TRoine Tuesday, November 8, 2016 7:58 PM
    • Marked as answer by Thomas_R Tuesday, November 8, 2016 7:59 PM
    Tuesday, November 8, 2016 12:45 PM

All replies

  • A similar issue happens when domain user being used on both COM+ and Distributed Transaction Coordinator.  Both return with a message similar to user is not found.  Yet, the user exists and network connection is not a problem.

    Is there settings that we missed?  Help will be appreciated.

    Thank you in advance.


    Friday, November 4, 2016 1:32 PM
  • There is an example on the documentation related how to run AD account in a container that may help.

    https://msdn.microsoft.com/en-us/virtualization/windowscontainers/management/manage_serviceaccounts

    • Proposed as answer by TRoine Tuesday, November 8, 2016 7:58 PM
    • Marked as answer by Thomas_R Tuesday, November 8, 2016 7:59 PM
    Tuesday, November 8, 2016 12:45 PM
  • There is an example on the documentation related how to run AD account in a container that may help.

    https://msdn.microsoft.com/en-us/virtualization/windowscontainers/management/manage_serviceaccounts

    Thanks! Seems like a gMSA is the way to go. The example shows it works for SQL Server if the gMSA is added as a login in SQL Server. Not sure this is possible to do in a Websphere MQ Server. I will ask the WMQ team about this.

    Do you know if it is possible to impersonate your code as a gMSA in the same way you can do with a domain account? When we connect to WMQ we normally impersonate the code that makes the WMQ call.



    TR

    Tuesday, November 8, 2016 8:00 PM