Containerised application cannot accesss WCF services using GMSA, when Hyper-v isolation is enabled.

Occasional Visitor

Hello,

 

We have a interesting problem with insider build 17744, based on the release notes the bug that prevented using gMSAs with Hyper-V isolated containers has been resolved.

 

We as such we are trying to prove this with one of our containerised applications. Below is a run down of the test setup.

 

Host: Windows Server insider build: 17744.1001

Container Image Based on : mcr.microsoft.com/windowsservercore-insider:10.0.17744.1001

 

Both tests use the same image, the only difference is the failing container has hyperv isolation

 

Scenario 1 - this works perfectly(No isolation).

 

 

docker run -d -t --network tlan --ip x.x.x.x --security-opt "credentialspec=file://Test_GMSA.json" -v C:\clogs:c:\logs  -h BaseLine --name BaseLine -e classification=SML x.x.x.x:xxxx/XXX

 

Scenario  - this fails (With HyperV isolation).

docker run -d -t --network tlan --ip x.x.x.x --security-opt "credentialspec=file://Test_GMSA.json" -v C:\clogs:c:\logs  -h HViso --name HViso -e classification=SML --isolation=hyperv x.x.x.x:xxxx/XXX

 

Notes

  1. SQL access works fine for both tests.
  2. Calling a WCF service that's configured to use widows auth fails in the scond scenario with the error below.

System.ServiceModel.Security.SecurityNegotiationException: The server has rejected the client credentials. ---> System.Security.Authentication.InvalidCredentialException: The server has rejected the client credentials. ---> System.ComponentModel.Win32Exception: The logon attempt failed   --- End of inner exception stack trace ---   at System.Net.Security.NegoState.ProcessReceivedBlob(Byte[] message, LazyAsyncResult lazyResult)   at System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult)   at System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult)   at System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult)   at System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel)   at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)   

 

Any ideas as to what could be the issue when accessing WCF services with hyperV isolation and GMS's?

Thank

 

 

0 Replies