K
Q

Windows authentication in Linux Docker container .Net 5

8/16/2021

Summary

I'm trying to configure Windows Authentication using Linux Docker Container and Kerberos.

The project is written in ASP.NET Core 5.0 Web API on the aspnet:5.0-buster-slim image.

During development, I have followed this official article from Microsoft and also this question on StackOverflow.

I've managed to solve many problems along the way and have fully configured Kerberos in the container. The problem might be related to the way I created the spns.

Background

  • Nodes: CentOS
  • Orchestrator: Kubernetes
  • Base Image: aspnet:5.0-buster-slim
  • Additional Dependencies: syslog-ng realmd gss-ntlmssp krb5-kdc-ldap krb5-admin-server ldap-utils curl default-jre krb5-user krb5-kdc krb5-config
  • Volumes: Valid krb5.conf mounted at /etc/krb5.conf
  • Domain: MyDomain.com (This is just an example)
  • Ingress: SSL termination for the wildcard CNAME is *.it.MyDomain.com using cert-manager
  • AD Principal: app_usr
  • SPN: http/template@MYDOMAIN.COM, http/template.it.MyDomain.com

Setup

I performed the test on an app named Template so the fqdn name of it is Template.it.MyDomain.com

After doing so, I successfully created a keytab file and also double-checked my self by looking at the user principle name and its sets to http/template@MYDOMAIN.COM

After deploying the app I opened the execution shell and successfully performed kinit to app_usr with the keytab file. Performing klist shows a valid ticket.

So the infrastructure seems to be configured correctly, moving to the application level. In the startup.cs file at the ConfigureService I have added authentication: First attempt I tried the following:

services.AddAuthentication(NegotiateDefaults.AuthenticationScheme).AddNegotiate();

The next attempt was as follows:

services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
    .AddNegotiate(options =>
    {
        if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
        {
            options.EnableLdap("MyDomain.com");
        }
    });

and even like so:

services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
    .AddNegotiate(options =>
    {
        if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
        {
            options.EnableLdap(settings =>
            {
                settings.Domain = "MyDomain.com";
                settings.MachineAccountName = "app_usr";
                settings.MachineAccountPassword = Configuration["Password"]
            });
        }
    });

The error is the always:

GssApiException: GSSAPI operation failed with error - Unspecified GSS failure. Minor code may provide more information

If I try to access the app with node port I get prompted for user name and password and after that, I get the same gssapi error

-- Idan Marko
.net-core
docker
kerberos
kubernetes
windows-authentication

Similar Questions

How to check if kubernetes job is successful or failure using client go library
Create a kubernetes go-client config from a kops config on S3
Kubernetes how to deploy a pod created by configuration file?
How do I load a configMap in to an environment variable?
Should I register pod or kubernete service to consul on kubernetes cluster

0 Answers