Security and networking within a Windows Container to the outside world RRS feed

  • Question

  • Is there any word/documentation on how identity/authentication is supposed to work inside a container? In one specific example, I have a bunch of machines in a workgroup (poor man's demo w/o a domain). We created a bunch of local users with the same usernames/passwords across the environment to get auth working.

    Then I created a new container host using the template, created a container and then created a user inside the container with net user... When I tried to hit an IIS endpoint on another workgroup box though, I kept getting 401's. The user was set as the service account with sc config (and had local admin in the container along with logon as service rights).

    All of the hosts in the demo set had a local admin account (let's say admin). This account was on the container host too but not in the container. I created a matching user in the host (admin) and then the same in the container, assigned that to the service process and things worked.

    So that leaves me with a bunch of integrated auth type of questions with containers:

    1. Should I be able to create a user in a container with the same username/password as others in the work group and have windows auth work right?
    2. Would a container be domain joined? What if the service in the container needs to run as a domain user account for auth? What would that look like as multiple instances of that container all share the same host name? What does that mean for the computer secret?

    When I do an enter-pssession -containername foo -RunAsAdministrator, I'm I the container as nt authority\system. That's not super helpful if I want to run as a specific user in that container.

    If I omit the -RunAsAdministrator, I'm running as nt authority\local service.

    I don't currently see a way to get a session running as a different user as the credential option isn't available for -containername.

    There are a few things that I'm trying to accomplish:
    I'd like to xcopy files from a network share into the container. Not sure if this is the best way or not to get files into the container as part of a "build/config" stage. Having a valid network credential is key here.

    All this comes down to questions around how security works inside the container and how it translates externally.

    In general, how is auth, service identities et al supposed to work from within a container to a called service that uses windows auth?

    Tuesday, December 15, 2015 10:06 PM

All replies