Containerised application cannot accesss WCF services using GMSA, when Hyper-v isolation is enabled.

%3CLINGO-SUB%20id%3D%22lingo-sub-263383%22%20slang%3D%22en-US%22%3EContainerised%20application%20cannot%20accesss%20WCF%20services%20using%20GMSA%2C%20when%20Hyper-v%20isolation%20is%20enabled.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-263383%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20interesting%20problem%20with%20insider%20build%2017744%2C%20based%20on%20the%20release%20notes%20the%3CSPAN%3E%20bug%20that%20prevented%20using%20gMSAs%20with%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.virtualizationhowto.com%2F2018%2F07%2Fcreating-high-availability-hyper-v-virtual-machines%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EHyper-V%3C%2FA%3E%3CSPAN%3E%20isolated%20containers%20has%20been%20resolved.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20as%20such%20we%20are%20trying%20to%20prove%20this%20with%20one%20of%20our%20containerised%20applications.%20Below%20is%20a%20run%20down%20of%20the%20test%20setup.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHost%3A%20Windows%20Server%20insider%20build%3A%2017744.1001%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EContainer%20Image%20Based%20on%20%3CSPAN%3E%3A%20mcr.microsoft.com%2Fwindowsservercore-insider%3A10.0.17744.1001%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EBoth%20tests%20use%20the%20same%20image%2C%20the%20only%20difference%20is%20the%20failing%20container%20has%20hyperv%20isolation%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EScenario%201%3C%2FSTRONG%3E%20-%20this%20works%20perfectly(No%20isolation).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Edocker%20run%20-d%20-t%20--network%20tlan%20--ip%20x.x.x.x%20--security-opt%20%22credentialspec%3Dfile%3A%2F%2FTest_GMSA.json%22%20-v%20C%3A%5Cclogs%3Ac%3A%5Clogs%26nbsp%3B%20-h%26nbsp%3BBaseLine%20--name%20BaseLine%20-e%20classification%3DSML%20x.x.x.x%3Axxxx%2FXXX%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EScenario%26nbsp%3B%3C%2FSTRONG%3E%20-%20this%20fails%20(With%20HyperV%20isolation).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Edocker%20run%20-d%20-t%20--network%20tlan%20--ip%20x.x.x.x%20--security-opt%20%22credentialspec%3Dfile%3A%2F%2FTest_GMSA.json%22%20-v%20C%3A%5Cclogs%3Ac%3A%5Clogs%26nbsp%3B%20-h%26nbsp%3BHViso%20--name%26nbsp%3BHViso%20-e%20classification%3DSML%20--isolation%3Dhyperv%20x.x.x.x%3Axxxx%2FXXX%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ENotes%3C%2FSPAN%3E%3C%2FP%3E%3COL%3E%3CLI%3E%3CSPAN%3ESQL%20access%20works%20fine%20for%20both%20tests.%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3ECalling%20a%20WCF%20service%20that's%20configured%20to%20use%20widows%20auth%20fails%20in%20the%20scond%20scenario%20with%20the%20error%20below.%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%3CSPAN%3ESystem.ServiceModel.Security.SecurityNegotiationException%3A%20The%20server%20has%20rejected%20the%20client%20credentials.%20---%26gt%3B%20System.Security.Authentication.InvalidCredentialException%3A%20The%20server%20has%20rejected%20the%20client%20credentials.%20---%26gt%3B%20System.ComponentModel.Win32Exception%3A%20The%20logon%20attempt%20failed%26nbsp%3B%26nbsp%3B%20---%20End%20of%20inner%20exception%20stack%20trace%20---%26nbsp%3B%26nbsp%3B%20at%20System.Net.Security.NegoState.ProcessReceivedBlob(Byte%5B%5D%20message%2C%20LazyAsyncResult%20lazyResult)%26nbsp%3B%26nbsp%3B%20at%20System.Net.Security.NegoState.StartSendBlob(Byte%5B%5D%20message%2C%20LazyAsyncResult%20lazyResult)%26nbsp%3B%26nbsp%3B%20at%20System.Net.Security.NegoState.StartSendBlob(Byte%5B%5D%20message%2C%20LazyAsyncResult%20lazyResult)%26nbsp%3B%26nbsp%3B%20at%20System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult%20lazyResult)%26nbsp%3B%26nbsp%3B%20at%20System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential%20credential%2C%20String%20targetName%2C%20ProtectionLevel%20requiredProtectionLevel%2C%20TokenImpersonationLevel%20allowedImpersonationLevel)%26nbsp%3B%26nbsp%3B%20at%20System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream%20stream%2C%20SecurityMessageProperty%26amp%3B%20remoteSecurity)%20%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAny%20ideas%20as%20to%20what%20could%20be%20the%20issue%20when%20accessing%20WCF%20services%20with%20hyperV%20isolation%20and%20GMS's%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThank%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-263383%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EContainers%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

Hello,

 

We have a interesting problem with insider build 17744, based on the release notes the bug that prevented using gMSAs with Hyper-V isolated containers has been resolved.

 

We as such we are trying to prove this with one of our containerised applications. Below is a run down of the test setup.

 

Host: Windows Server insider build: 17744.1001

Container Image Based on : mcr.microsoft.com/windowsservercore-insider:10.0.17744.1001

 

Both tests use the same image, the only difference is the failing container has hyperv isolation

 

Scenario 1 - this works perfectly(No isolation).

 

 

docker run -d -t --network tlan --ip x.x.x.x --security-opt "credentialspec=file://Test_GMSA.json" -v C:\clogs:c:\logs  -h BaseLine --name BaseLine -e classification=SML x.x.x.x:xxxx/XXX

 

Scenario  - this fails (With HyperV isolation).

docker run -d -t --network tlan --ip x.x.x.x --security-opt "credentialspec=file://Test_GMSA.json" -v C:\clogs:c:\logs  -h HViso --name HViso -e classification=SML --isolation=hyperv x.x.x.x:xxxx/XXX

 

Notes

  1. SQL access works fine for both tests.
  2. Calling a WCF service that's configured to use widows auth fails in the scond scenario with the error below.

System.ServiceModel.Security.SecurityNegotiationException: The server has rejected the client credentials. ---> System.Security.Authentication.InvalidCredentialException: The server has rejected the client credentials. ---> System.ComponentModel.Win32Exception: The logon attempt failed   --- End of inner exception stack trace ---   at System.Net.Security.NegoState.ProcessReceivedBlob(Byte[] message, LazyAsyncResult lazyResult)   at System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult)   at System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult)   at System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult)   at System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel)   at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)   

 

Any ideas as to what could be the issue when accessing WCF services with hyperV isolation and GMS's?

Thank

 

 

0 Replies