发表新帖
发表新帖

Windows authentication in linux docker container

前端 未结
关注
2 735
暗喜
暗喜 2020-12-31 14:04

i am trying to use windows authentication in linux docker container under kubernetes.

I am following this settings: https://docs.microsoft.com/en-us/aspnet/core/secu

2条回答
  • 不思量自难忘°
    不思量自难忘° (楼主)
    2020-12-31 14:43

    This article is a good example of misunderstanding how things work. I don't recommend to follow the way(like I did) author described here at all .

    Instead, I would recommend learning about Kerberos authentication, how it works, what settings it requires. This article visualizes it good.

    First, If you profile http traffic coming from browser(user Fiddler, for example) you can find a TGS token in the second request.

    • If it starts with Negotiate TlR then you're doing auth over NTLM.
    • If it starts with Negotiate YII then you're doing auth over Kerberos.

    Second, Like David said before ASP.NET Core 3.1 doesn't support NTLM on Linux at all. So if you have TlR token and ntlm-gssapi mechanism you will get "No credentials were supplied, or the credentials were unavailable or inaccessible." error. If you have TlR token and use default Kerberos mechanism you will get "An unsupported mechanism was requested."

    Next, The only way to get your app works well is to create SPNs and generate keytab correctly for Kerberos authentication. Unfortunately, this is not documented well. So, I gonna give an example here to make things more clear.

    Let's say you have:

    • AD domain MYDOMAIN.COM
    • The web application with host webapp.webservicedomain.com. This can ends with mydomain.com, but not in my case.
    • Windows machine joined to AD with name mymachine.
    • Machine account MYDOMAIN\mymachine

    Regarding the instructions described here you need to do:

    1. Add new web service SPNs to the machine account:
    • setspn -S HTTP/webapp.webservicedomain.com mymachine
    • setspn -S HTTP/webapp@MYDOMAIN.COM mymachine
    1. Use ktpass to generate a keytab file
    • ktpass -princ HTTP/webapp.webservicedomain.com@MYDOMAIN.COM -pass myKeyTabFilePassword -mapuser MYDOMAIN\mymachine$ -pType KRB5_NT_PRINCIPAL -out c:\temp\mymachine.HTTP.keytab -crypto AES256-SHA1*.

    *Make sure MYDOMAIN\mymachine has AES256-SHA1 allowed in AD.

    Finally, After making all above things done and deploying the app into Linux container with keytab the Integrated Windows Authentication is supposed to worked well. My experiment showed you can use keytab wherever you want not only on the host with name "mymachine".

    0 讨论(0)
 看不清?
提交回复
热议问题