Share via

Can i able to logon to domain from windows container?

Suresh Rajamani 1 Reputation point
Apr 6, 2023, 5:57 AM

Hi Team, We are developing a cognos analytics windows image. Cognos installation required Active directory domain connectivity with user credentials. So i am validating the AD connection from container. But it is failing to connect. Actually i am using advapi32 lib LogonUser from powershell script. Domain is connecting from the VM. But the same script not working from the local container running in the same VM. AD connection is failing. Also the VM is in the same domain. Can we able to connect domain from windows container? I see some blogs to use gMSA. PLease confirm and kindly guide me. Thanks, Suresh Rajamani

Azure Container Instances
Azure Container Instances
An Azure service that provides customers with a serverless container experience.
713 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Susheel Bhatt 346 Reputation points
    Apr 6, 2023, 6:43 AM

    Yes, it is possible to connect a Windows container to Active Directory (AD) using group Managed Service Accounts (gMSA). A gMSA is a domain account that can be used to manage services on multiple servers. The password for the gMSA is managed automatically by the domain controller, so it doesn't need to be stored in plain text on the server running the container. Here are the general steps to configure a Windows container to use a gMSA: Create a gMSA in the Active Directory domain that the container host is joined to. This can be done using the New-ADServiceAccount PowerShell cmdlet. Grant the necessary permissions to the gMSA to access resources in the domain. For example, if the gMSA needs to access a shared folder, you would need to grant the gMSA access to that folder. Install the gMSA on the container host by running the Install-ADServiceAccount PowerShell cmdlet. Configure the container to use the gMSA by adding the --security-opt "credentialspec=file://path/to/credential-spec.json" option to the docker run command. The credential-spec.json file should contain the following JSON:

    {
        "Credentialspec": {
            "Username": "DOMAIN\\gMSA$",
            "Password": ""
        }
    }
    

    Replace DOMAIN with the name of your Active Directory domain, and gMSA with the name of your gMSA. Leave the Password field blank. Test the connection to the AD domain from within the container using the Test-ComputerSecureChannel PowerShell cmdlet. Note that gMSA is only available on Windows Server 2016 and later versions. Also, the container host must be joined to an Active Directory domain. I hope this helps. Let me know if you have any further questions!


  2. Suresh Rajamani 1 Reputation point
    Apr 12, 2023, 6:31 AM

    Hi Susheel Bhatt, Thanks for the detailed answer. So, we cannot connect domain from windows container without using gMSA? Thanks, Suresh Rajamani


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.