Windows Containers do not ship with Active Directory support and due to their nature can’t (yet) act as a full-fledged domain joined objects, but a certain level of Active Directory functionality can be supported through the use of Globally Managed Service Accounts (GMSA).
Windows Containers cannot be domain-joined, they can also take advantage of Active Directory domain identities similar to when a device is realm-joined. With Windows Server 2012 R2 domain controllers, we introduced a new domain account called a group Managed Service Account (GMSA) which was designed to be shared by services.
We can authenticate to Active Directory resources from Windows container which is not part of your domain. For this to work certain prerequisites needs to be met.
For once your container hosts shall be part of Active Directory and you shall be able to utilize Group Managed Service Accounts.
The following steps needed for communicate Windows container with on premise SQL server using GMSA.
Environments are used and described for this post.
Import-module ActiveDirectory Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10));5.
New-ADServiceAccount -Name container_gmsa -DNSHostName cloudiq.local -PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers", "domain admins", "CN=Container Hosts,CN=Builtin, DC=cloudiq, DC=local" -KerberosEncryptionType RC4, AES128, AES256
Get-ADServiceAccount -Identity container_gmsa
Set-ADServiceAccount -Identity container_gmsa -PrincipalsAllowedToRetrieveManagedPassword CloudIQDC1$,cloud-2016$, CIQSQL2012$
Enable-WindowsOptionalFeature -FeatureName ActiveDirectory-Powershell -online -all
Get-ADServiceAccount -Identity container_gmsa Install-ADServiceAccount -Identity container_gmsa Test-AdServiceAccount -Identity container_gmsa
Invoke-WebRequest "https://raw.githubusercontent.com/Microsoft/Virtualization-Documentation/live/windows-server-container-tools/ServiceAccounts/CredentialSpec.psm1" -UseBasicParsing -OutFile $env:TEMP\cred.psm1 Import-Module $env:temp\cred.psm1 New-CredentialSpec -Name Gmsa -AccountName container_gmsa #This will return location and name of JSON file Get-CredentialSpec
CREATE LOGIN [cloudiq\container_gmsa$] FROM WINDOWS sp_addsrvRolemember "cloudiq\container_gmsa$", "sysadmin"
CloudIQ is a leading Cloud Consulting and Solutions firm that helps businesses solve today’s problems and plan the enterprise of tomorrow by integrating intelligent cloud solutions. We help you leverage the technologies that make your people more productive, your infrastructure more intelligent, and your business more profitable.
626 120th Ave NE, B102, Bellevue,
No. 3 & 4, Venkateswara Avenue,Bazaar Main Rd, Ramnagar South, Madipakkam, Chennai – 600091
© 2019 CloudIQ Technologies. All rights reserved.