Forum Discussion
Tonde Matangaidze
Sep 27, 2018Copper Contributor
Containerised application cannot accesss WCF services using GMSA, when Hyper-v isolation is enabled.
Hello,
We have a interesting problem with insider build 17744, based on the release notes the bug that prevented using gMSAs with Hyper-V isolated containers has been resolved.
We as such we are trying to prove this with one of our containerised applications. Below is a run down of the test setup.
Host: Windows Server insider build: 17744.1001
Container Image Based on : mcr.microsoft.com/windowsservercore-insider:10.0.17744.1001
Both tests use the same image, the only difference is the failing container has hyperv isolation
Scenario 1 - this works perfectly(No isolation).
docker run -d -t --network tlan --ip x.x.x.x --security-opt "credentialspec=file://Test_GMSA.json" -v C:\clogs:c:\logs -h BaseLine --name BaseLine -e classification=SML x.x.x.x:xxxx/XXX
Scenario - this fails (With HyperV isolation).
docker run -d -t --network tlan --ip x.x.x.x --security-opt "credentialspec=file://Test_GMSA.json" -v C:\clogs:c:\logs -h HViso --name HViso -e classification=SML --isolation=hyperv x.x.x.x:xxxx/XXX
Notes
- SQL access works fine for both tests.
- Calling a WCF service that's configured to use widows auth fails in the scond scenario with the error below.
System.ServiceModel.Security.SecurityNegotiationException: The server has rejected the client credentials. ---> System.Security.Authentication.InvalidCredentialException: The server has rejected the client credentials. ---> System.ComponentModel.Win32Exception: The logon attempt failed --- End of inner exception stack trace --- at System.Net.Security.NegoState.ProcessReceivedBlob(Byte[] message, LazyAsyncResult lazyResult) at System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult) at System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult) at System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel) at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
Any ideas as to what could be the issue when accessing WCF services with hyperV isolation and GMS's?
Thank
No RepliesBe the first to reply