I’m trying to run a WCF service inside a docker container using a binding with security mode
message and client credential type
Windows. Something like:
... <bindings> <wsHttpBinding> <binding name="wsHttpBinding_IService1"> <security mode="Message"> <message clientCredentialType="Windows"/> </security> </binding> </wsHttpBinding> </bindings> ...
I have successfully created and started the container and, thanks to gMSA and a tutorial found here, I can issue SQL commands against a SQL Server 2016 using Windows Authentication from within the service inside the container.
So far so good, but when connecting to the service inside the container with a client running on the docker host machine, I am greeted with the error message:
System.ServiceModel.Security.SecurityNegotiationException: The server has rejected the client credentials
To my understanding this is happening, because the docker container is using its host name (which, after checking it with
docker exec, appears to be some hash value) to ask the domain controller for valid credentials. Since the container isn’t part of the domain (even if it thinks it is thanks to the gMSA) the domain controller denies the request, and the client receives the aforementioned message.
So my questions are: Is this really what’s happening, or did I miss something? Is there any way to make windows authentication work with the above binding or is my approach conceptually flawed? Maybe there is another way to make Windows authentication with WCF inside docker possible?
I have created a similar thread on StackOverflow last week, but didn’t receive any answers. So any help would be much appreciated.