none
IIS Windows Authentication RRS feed

  • Question

  • Hello everyone,

    I need help on this.

    I followed this article: https://artisticcheese.wordpress.com/2017/09/09/enabling-integrated-windows-authentication-in-windows-docker-container/

    But the strange thing is that is access the container, he will recognize the domain and even let me add users from the domain to the container but the IIS is still asking me credentials.

    Any ideas?


    Best regards,

    Sunday, March 18, 2018 3:55 PM

Answers

  • Hello,

    Sorry for the late reply.

    Yes, after many coffees :)

    In the end, we had to insert the dns servers on network settings of the container in order to validate the domain.

    Many thanks for all the help!

    • Marked as answer by llongshot00 Wednesday, April 4, 2018 5:43 PM
    Wednesday, April 4, 2018 5:43 PM

All replies

  • Make sure your issue is not your browser related since IE will prompt for credentials unless since it in zone which allows to pass those automatically.
    Sunday, March 18, 2018 5:51 PM
  • When you say "in zone", what do you mean? The security settings?

    Can you give me an example? 

    Best regards,



    Sunday, March 18, 2018 6:51 PM
  • Yes, IE by default will not send you login credentials unless your server is identified in trusted zone. Bigger question is wether if you put correct username/password it works or not. If issue is only no automatic login then issue is with zone where you server is located, if manually putting in those username/password does not work then issue is with something else.
    Sunday, March 18, 2018 6:53 PM
  • I checked the security settings and it´s on automatic logon. 

    And if manually put the password and user correcty it´s still asking for me credentials until i got the message "

    401 - Unauthorized: Access is denied due to invalid credentials

    But if I put the wrong password several times , the account will be locked out...



    Sunday, March 18, 2018 7:05 PM
  • You will have to examine log on both IIS server and domain controller to see what exact issue is. I assume you tried to prepend name with domain\ etc as well?
    Sunday, March 18, 2018 7:07 PM
  • Can you clarify with "prepend name with domain" ?

    On the domain controllers i don´t get any errors log. On the opposite, i got the message that the machine fetch the password of the GMSA with success. 

    The IIS logs i need to check it.



    Sunday, March 18, 2018 7:16 PM
  • Like in my blog, put `AD\gregory` to name instead of just `gregory`
    Sunday, March 18, 2018 7:18 PM
  • Yes. 

    I put it on both scenarios.

    By name, from another host domain joined machine and by IP from a host domain joined machine and also inside the host.

    Sunday, March 18, 2018 7:29 PM
  • I meant if you put in username field "domainname\accountname" as opposed just putting "username" there. 
    Sunday, March 18, 2018 7:32 PM
  • Yes, i put that way
    Sunday, March 18, 2018 7:36 PM
  • So you do get successfull login logged to domain controller with your account name and name of your container host on Active Directory domain controller?

    Did you use my image for testing or your own?

    Sunday, March 18, 2018 7:38 PM
  • No, i dont have any successfull logins....

    And I created a domain from scratch (DC01 and DOCKER01) and i only used your image for test purposes...

    Sunday, March 18, 2018 7:43 PM
  • First inspect Event Logs on your IIS container (Get-WinEvent) and if nothing obvious there I suggest use exact names for everything what I have in blog to make sure you did not miss any steps or unexpected results.

    Sunday, March 18, 2018 7:47 PM
  • Hello,

    The logs are full of "garbage" and i will need to take a long to filter it but on the first look i got this:

    "The WinHttpAutoProxySvc service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following"

    It´s normal?

    Sunday, March 18, 2018 8:00 PM
  • Not sure if it's normal or not, never seen it before. You just need to look at Security Log right at the time when you tried to login. It shall log event with failed login.
    Sunday, March 18, 2018 8:05 PM
  • First inspect Event Logs on your IIS container (Get-WinEvent) and if nothing obvious there I suggest use exact names for everything what I have in blog to make sure you did not miss any steps or unexpected results.

    I already did that but with the same result. I dont know if by the DC and Docker are Server 2016 updated can contribute to this outcome...
    Sunday, March 18, 2018 8:05 PM
  • If you login to docker via `docker exec` and execute `nltest /parentdomain` it shall inform you if you are correctly connected to AD via GMSA.
    Sunday, March 18, 2018 8:08 PM
  • Yes, they say that im connected to AD and also the net config workstation give me the expected result... i can manage the container as it is on domain but the IIS it´s another subject.

    I already tried another test with anothe site of iis and the outcome is the same


    Sunday, March 18, 2018 8:14 PM
  • Check security event log inside IIS container. Also try to authenticate with local user "containeradmin" and password "A123456!"
    Sunday, March 18, 2018 8:18 PM
  • That´s strange....no events registered if i run Get-WinEvent -LogName security after i tried a login
    Sunday, March 18, 2018 8:21 PM
  • Try to login with local account I mentioned.
    Sunday, March 18, 2018 8:23 PM
  • I tried with the account you mentioned and the result was the same.

    Just to confirm:

    I tried with "hostmachine\containeradmin"  "ipaddresscontainer\containeradmin"

    Sunday, March 18, 2018 8:55 PM
  • Don't put any name in, just "containeradmin"
    Sunday, March 18, 2018 8:56 PM
  • Just for info:

    when i run whoami on container i got the result:

    user manager\containeradministrator

    Sunday, March 18, 2018 9:00 PM
  • Yes, I know. ContainerAdmin account is added as part of my docker image with password specified.
    Sunday, March 18, 2018 9:01 PM
  • It still not working but maybe because by default the prompt is looking that user on the domain i configured
    Sunday, March 18, 2018 9:10 PM
  • Well bigger issue here is that you are not getting event logs in Security. You shall be getting events from any failed or successfull login

    Sunday, March 18, 2018 9:14 PM
  • I used this article to ouptup the security log:

    https://blogs.msdn.microsoft.com/containerstuff/2017/08/18/using-the-windows-eventviewer-gui-to-view-eventlogs-in-containers/ 

    And no errors or warnings are registered there

    Sunday, March 18, 2018 9:26 PM
  • Security event log will not container warnings or errors it will container success and failure audits. Use Get-WinEvent -LogName Application instead to examine it
    Sunday, March 18, 2018 9:32 PM
  • The same with the application log...
    Sunday, March 18, 2018 9:34 PM
  • Sorry, I meant you need to take a look at security event log Get-WinEvent -LogName Security
    Sunday, March 18, 2018 9:39 PM
  • You need to enable failure to be logged, I will reimage my container to add it to image, for now login to your container and execute `Auditpol /set /category:"Logon/Logoff" /Success:enable /failure:enable`

    And then try. You shall see failure recorded

    Sunday, March 18, 2018 9:48 PM
  • No issues there too.

    i only have information messages and no errors or warnings, for instance:

    An account was successfully logged on.

    Subject:
    Security ID: SYSTEM
    Account Name: containerhost$


    Sunday, March 18, 2018 9:48 PM
  • Check my last message. It's by default does not record failures. 
    Sunday, March 18, 2018 9:50 PM
  • This is getting funny....

    No logon successful or failed...

    Sunday, March 18, 2018 10:06 PM
  • I updated my image, so please get latest version.

    I don't think you are hitting correct IIS server. Here is what is being logged when I try to hit my container with wrong credentails

    PS C:\app> Get-EventLog -Index 673 -LogName Security | fl *
    
    
    EventID            : 4625
    MachineName        : 91dd1c341a70
    Data               : {}
    Index              : 673
    Category           : (12544)
    CategoryNumber     : 12544
    EntryType          : FailureAudit
    Message            : An account failed to log on.
    
                         Subject:
                            Security ID:            S-1-0-0
                            Account Name:           -
                            Account Domain:         -
                            Logon ID:               0x0
    
                         Logon Type:                        3
    
                         Account For Which Logon Failed:
                            Security ID:            S-1-0-0
                            Account Name:           test
                            Account Domain:
    
                         Failure Information:
                            Failure Reason:         %%2313
                            Status:                 0xc000006d
                            Sub Status:             0xc0000064
    
                         Process Information:
                            Caller Process ID:      0x0
                            Caller Process Name:    -
    
                         Network Information:
                            Workstation Name:       CND70637PKZBOOK
                            Source Network Address: 172.29.112.1
                            Source Port:            2356
    
                         Detailed Authentication Information:
                            Logon Process:          NtLmSsp
                            Authentication Package: NTLM
                            Transited Services:     -
                            Package Name (NTLM only):       -
                            Key Length:             0

    Sunday, March 18, 2018 10:12 PM
  • I will update it:

    For info:

    The IIS Logs gave me this:

    2018-03-18 22:05:18 xxx.xx.xx.xx  GET / - 80 - xx.xxx.xxx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729) - 401 1 3221422092 5

    Just to overrule it.

    The SPN is HTTP/containerhost.ad.com right?

    Sunday, March 18, 2018 10:18 PM
  • Yes, SPN is not needed unless you use Kerberos, NTLM does not require it. Also you shall receive failure logon as well as per earlier statement in EventLog which will have more details about origin of failure.
    Sunday, March 18, 2018 10:31 PM
  • But if i use NTLM do i need the SPN?
    Sunday, March 18, 2018 10:36 PM
  • No, you don't need SPN, it shall fallback to NTLM in that case. It does not really matter for your scenario though since you shall be getting failed login even in Security Log which you don't which tells me something is not right with container
    Sunday, March 18, 2018 10:39 PM
  • You are right.

    I still don´t get it. I use your image and follow the instructions. The GMSA it´s using correctly because i got an event that the account is being fetched successfully but somehow authentication is not working. 

    But if I use a SQL Server image i can connect from another machine to the SQL container with my credentials...

    For me it´s very weird :P

    Sunday, March 18, 2018 10:50 PM
  • Hello. Just to check it. Can you  give me an example of the contente of the credential file?

    Monday, March 19, 2018 8:09 PM
  • Here is contents of my file.

    {
        "CmsPlugins":  [
                           "ActiveDirectory"
                       ],
        "DomainJoinConfig":  {
                                 "Sid":  "S-1-5-21-925333917-1256851338-387093322",
                                 "MachineAccountName":  "containerhost",
                                 "Guid":  "52ffef55-5e92-4f58-ad1c-046c7b9ff9aa",
                                 "DnsTreeName":  "ad.local",
                                 "DnsName":  "ad.local",
                                 "NetBiosName":  "AD"
                             },
        "ActiveDirectoryConfig":  {
                                      "GroupManagedServiceAccounts":  [
                                                                          {
                                                                              "Name":  "containerhost",
                                                                              "Scope":  "ad.local"
                                                                          },
                                                                          {
                                                                              "Name":  "containerhost",
                                                                              "Scope":  "AD"
                                                                          }
                                                                      ]
                                  }
    }
    

    Monday, March 19, 2018 8:14 PM
  • Did you figure this out in the end?
    Sunday, March 25, 2018 1:18 AM
  • Hello,

    Sorry for the late reply.

    Yes, after many coffees :)

    In the end, we had to insert the dns servers on network settings of the container in order to validate the domain.

    Many thanks for all the help!

    • Marked as answer by llongshot00 Wednesday, April 4, 2018 5:43 PM
    Wednesday, April 4, 2018 5:43 PM
  • That's strange since default DNS server of container will rely on internal DNS of docker which in turn relies on your OS to resolve names. Is your host OS DNS servers are different then the ones you put into container?
    Wednesday, April 4, 2018 5:51 PM