Docker Community Forums

Share and learn in the Docker community.

Windows Authentication Docker?

Hi folks,

I am using asp.net core with windows authentication. Here is my docker file

FROM microsoft/dotnet:2.2-aspnetcore-runtime AS base
WORKDIR /app
EXPOSE 80

FROM microsoft/dotnet:2.2-sdk AS build
WORKDIR /src
COPY ["WindowsAuth.csproj", "./"]
RUN dotnet restore "./WindowsAuth.csproj"
COPY . .
WORKDIR "/src/."
RUN dotnet build "WindowsAuth.csproj" -c Release -o /app

FROM build AS publish
RUN dotnet publish "WindowsAuth.csproj" -c Release -o /app

FROM base AS final
WORKDIR /app
COPY --from=publish /app .
ENTRYPOINT ["dotnet", "WindowsAuth.dll"]

And I have created API Controller:

    [HttpGet("test2")]
    public ActionResult<IEnumerable<string>> GetADUsername2()
    {
        var adUsername = User.Identity.Name.Split('\\').Last();

        return Ok(adUsername);
    }

    // GET: api/values/ADUsername
    [HttpGet("test3")]
    public ActionResult<IEnumerable<string>> GetADUsername3()
    {
        var isAuthenticated = User.Identity.IsAuthenticated.ToString();
        var authenticatType = User.Identity.AuthenticationType;
        var adUsername = User.Identity.Name.Split('\\').Last();

        return new string[] { adUsername, isAuthenticated, authenticatType };
    }

I have set Enable Windows Authentication from IIS Express Launch in Visual studio 2017. It seems ok but if I build and run docker container and image and I am unable to get username when windows logged.

How to implement asp.net core with windows authentication in docker container?

I am waiting for your response.

Thanks in Advance.

Any feedback on this one or perhaps a workaround.

The ‘gss-ntlmssp’ package is a plug-in for supporting the NTLM protocol for the GSS-API. It supports both raw NTLM protocol as well as NTLM being used as the fallback from Kerberos to NTLM when ‘Negotiate’ (SPNEGO protocol) is being used. Ref: https://docs.microsoft.com/en-us/openspecs/windows_protocols/MS-SPNG/f377a379-c24f-4a0f-a3eb-0d835389e28a

From reading the discussion above and the image you posted, it appears that the application is trying to actually use NTLM instead of Kerberos. You can tell because the based64 encoded token starts with “T” instead of “Y”.

ASP.NET Core server (Kestrel) does NOT support NTLM server-side on Linux at all. It only provides for ‘Www-Authenticate: Negotiate’ to be sent back to clients. And usually that means that Kerberos would be used. Negotiate can fall back to using NTLM. However, that doesn’t work in ASP.NET Core except in .NET 5 which has not shipped yet.

Are you expecting your application to fall back to NTLM? If not, then perhaps the Kerberos environment is not completely set up. This can be caused by a variety of issues including the SPNs and Linux keytab files not being correct. It can also be caused by the client trying to use a username/password that is not part of the Kerberos realm.