I am working on being able to connect services hosted within a Windows container to SQL Server using Integrated Security.
As per the Microsoft documentation, I have created a grouped managed service account (gMSA), credentials spec and my container hosts have access to the gMSA - https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts
I have been testing the connection by using the SQL Server PowerShell module within the following container:
docker run --security-opt "credentialspec=file://mygsma.json" -it mcr.microsoft.com/windows/servercore:ltsc2019 powershell
Problem:
When running the container in hyper-v isolation mode, I get the following error SQL Server error:
Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
If I run the container in process isolation mode, I am able to successfully login to SQL Server using the gMSA. As far as I'm aware there is nothing to suggest that Integrated authentication for hyper-v containers is not supported.
There was a bug which prevented you using gMSAs with Hyper-V isolated containers on Windows 10 versions 1703, 1709, and 1803. However, I'm using Windows 10 version 1809 and can confirm the gMSA can be accessed by the container.
Any ideas?
Related
Good morning. I have several Django apps running in my work environment. All are running through Gunicorn on Ubuntu. I have a new app that must run on Windows for ODBC reasons. This new app is running in development mode on a Windows 10 PC. I run the dev server while logged in as a service account, it uses a trusted connection (local credentials as I understand) to query a SQL server and works perfectly. I ported this app (virtualenv and all) to a Windows Server 2012 r2 instance and run the dev server successfully from there using my domain admin credentials (again trusted_connection=yes).
I set up IIS on this server to run the app permanently and it appears to run. However, I get a django error page that says the SQL login failed for 'DOMAINNAME\SERVERNAME'.
I have tried editing my Application Pool to use the credentials of the working service account (Advanced Settings > Process Model > Identity). With this configuration I no longer see a Django error page, just Service Unavailable HTTP Error 503. I have tried 'recycling' and restarting the IIS service after the change but that has not worked.
Unfortunately, I do not have admin access to the SQL server to create or edit accounts. Is it possible to configure IIS to connect to SQL, through the app, using the service account credentials that I know work. If I were to configure the Application Pool successfully in this way should I still have the trusted connection setting in my connection string? Thanks!
We hosted a .Net core 2.2 API in Red Hat Open shift container platform. API is using Entity Framework connecting to a SQL Server db on Windows Server, but both the container platform, SQL Server are on the same domain.
Now the API is unable to establish connection with the SQL server db. We tried with SQL Auth, but still the API hosted on container pod is trying to establish sql connection using kerberos, which has following issue.
System.Data.SqlClient.SqlException: Cannot authenticate using Kerberos. Ensure Kerberos has been initialized on the client with 'kinit' and a Service Principal Name has been registered for the SQL Server to allow Kerberos authentication.
Need some inputs on What are the additional setup, configurations required to connect SQL Server from open shift container platform ?
Right now there are no environment variables, config maps, additional drivers for SQL configured in the open shift container platform.
The problem with mine was the connection string. I had to remove "Trusted_Connection=true"
I have gone through all the examples I could find online for building docker container based applications. I would want to run two services running in two docker containers:
A windows container running ASP.NET
A windows container running SQL Server
Easy job and many examples. However, in all examples you need to use SQL authentication and to provide a hard-coded SA password as an environment variable when running the SQL server container. You also need to hard code the SA password into the connection string in the ASP.Net code (or also provide it in some other manner in a configuration file, etc.)
Bottom line in all examples the password is hard-coded somewhere.
In most applications we develop now, we actually use windows authentication instead or use a grouped managed service account instead. But as far as I know, you cannot add a windows container to a domain, thus the SQL server is not part of the windows domain so I don't see a way to use windows authentication here.
So does any one have an alternative to hard-coding passwords this way ?
I'm dealing exactly with the same problem.
Here is the most complete procedure that I found.
The trick is to use gMSA.
But, as JanneRantala says at the end, I'm having the same problem when trying to add a new User in the Database :
Msg 15401, Level 16, State 1, Line 3
Windows NT user or group 'YOUR_DOMAIN\gmsa$' not found. Check the name again.
Here is walkthrough how to make it work. Windows Containers Walkthrough
This will not work though if your SQL is also running in container since SQL server itself have to part of Active Directory to be able to utilize GMSA accounts.
Windows authentication is automatically enabled in Windocks SQL Server containers. See here for more details.
The SQL Server containers created in Windocks are SQL Server named instances created automatically from the default SQL Service that is already installed on the Windows Server (2012 R2 or 2016). Any Windows accounts in the default instance are automatically enabled in the container instances.
Since we do distributed transactions using Entity framework, we currently have DTC enabled on both the client/server and the SQL server boxes in all environments.
This was easy to set up using using How to Enable MSDTC on a Web Server and it works well.
However our production environment's use Windows Server Core and this is a rudimentary command line based environment.
How do I enable/configure MS DTC on the Windows Server Core machines?
From another computer, you can:
run Dcomcnfg.exe
rigth click on Console Root / Component Services / Computer
select New / Computer
add your server
Powershell
From Server Core Powershell window or using a remote Powershell session you can use MS DTC cmdlets: Distributed Transaction Coordinator (MSDTC) Cmdlets in Windows PowerShell
You have to figure out which one are needed based on your requierement.
You can for example use Set-DtcNetworkSetting in order to modify network and security configuration for a DTC instance.
Database: Sql Server 2005
Webserver: IIS 5.0
IDE: Visual Studio 2010
I've created a Silverlight RIA application which will allow users of our intranet query one of our databases.
In the config I have set the authentication to windows and enabled impersonation.
In IIS i have disabled anonymous access and only enabled windows authentication.
This all works fine in my development environment and when running it from VS2010.
When i publish it to my local web server and connect to it from my local pc it works too.
However if i access the URL to the application on my local web server from another machine the application does not work. It gives the following error: "Load operation failed '[QueryName]'. Exception type 'System.ServiceModel.DomainServices.Client.DomainOperationException' was thrown.
The database sits on its own server. However i have the same database locally and if i change the connectionstring to local at the local version of that database it works fine.
IIS on my PC does not seem to forward requests to the SQL Server machine. As im running profiler to see what requests come in.
Any help on this would be greatly appreciated. Im sure im missing something.
Thanks
this was an issue was a classic double hop problem when using windows authentication. instead i used annoymous access on IIS and set the App Pool to an account that had access to the database on SQL Server