我想使用 Windows 身份验证来访问托管在 Windows 容器中的 ASP.NET 应用程序(在 Windows Server 2016 TP4 中)。为此,我认为我需要将容器添加到 Active Directory 域。是否可以将 Windows 容器(或 Hyper-V 容器)添加到域中? Microsoft 对此没有明确的文档,我自己尝试使用 PowerShell 将容器添加到域,但没有运气。
如果不支持加入容器的域,是否有其他方法可以在 Windows 或 Hyper-V 容器中托管的 Web 应用程序中启用 Windows 身份验证?
我们将不胜感激。
最佳答案
Microsoft 最近提供了一个容器使用域凭据访问资源的解决方案:group managed service accounts .
Although Windows Containers cannot be domain-joined, they can also take advantage of Active Directory domain identities similar to when a device is realm-joined. With Windows Server 2012 R2 domain controllers, we introduced a new domain account called a group Managed Service Account (gMSA) which was designed to be shared by services.
另外,这里是 a guide that walks through the specific steps in detail ,涵盖以下内容:
Deploying containers with an emulated domain identity is simple, and based around existing workflows using Windows Server and Active Directory.
Deploying this feature requires:
- An existing Active Directory domain, running at Windows Server 2012 or later functional level
- Windows Server 2016 with the Container role and Docker installed. This will be referred to as a Container host. These hosts need to be joined to the domain.
This guide will cover the following steps to deploy a container in detail:
- Create a group Managed Service Account in the Active Directory for each application/service
- Give each container host access to use the group Managed Service Account
- Add configuration files on each container host that store details about the group Managed Service Accounts. These will be referred to as Credential Specs
- Start containers with a parameter telling which credential spec to use
关于asp.net - 托管在 Windows 容器中的应用程序的 Windows 身份验证,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/34676784/