Home > Developer > Windows

Using GMSA in the Windows container

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

The company was recently given a test environment involving a component that uses Kerberos authentication to connect to a SQL Server database in a container.

The Windows container itself cannot be joined to a domain, but you can run the container through GMSA to have the GMSA identity of the container process, so that a dozen needs to add this GMSA login to SQL Server to achieve the goal. Note that the GMSA must be used and the normal MSA account will be used in the container.

Before you create your GMSA account for the first time, you need to create a KDS (key distribute Service) root key (such as created to ignore this step):

add-kdsrootkey–effectiveimmediately

Then you need to wait a long 10 hours to complete the copy of the key ... Well, if you're doing an experiment, you can omit this for 10 hours:

Add-kdsrootkey–effectivetime ((get-date). AddHours (-10))

Create GMSA:

New-adserviceaccount-name Service1-dnshostname Service1.contoso.com-principalsallowedtoretrievemanagedpassword [ computername1$, computername2$ ...] -kerberosencryptiontype RC4, AES128, AES256

Where -dnshostname is just a group name and does not need to be added to your DNS. -principalsallowedtoretrievemanagedpassword is the server name of your container, note that the computer name on the AD is also an account, so add "$" to the rear.

Next, install GMSA on the container's host

1 // Install PowerShell Module  2 install-windowsfeature rsat-ad-PowerShell  3 4 // installation GMSA  5 install-adserviceaccount Service1  6  7 // Test  8 test-adserviceaccount Service1  9 //display "True" test passed

Next, to use GMSA in the container, you need to create credentialspec for Docker, we need credentialspec.psm1 in Virtualization-documentation, which Virtualization-documentation/windows-server-container-tools/serviceaccounts, you can choose to clone the whole project or create a new name Credentialspec.psm1 text file, and then glue the contents of the file. Then, execute the following PS command:

1 import-module./credentialspec.psm12 new-credentialspec-name service1-accountname Service1

Next, you can run the container:

" Credentialspec=file://service1.json " Microsoft/windowsservercore Nltest/parentdomain

Output your AD name, stating that the run was successful.

Using GMSA in the Windows container

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
using curl in windows using telnet in windows linux container on windows container class in c encrypted container windows gmsa account install ansible in docker container

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More