Sign in Subscribe
security

Containers and Integrated Windows Authentication

Authenticating to Microsoft SQL Server from a Linux container using Integrated Windows Authentication.

Sydney du Plooy

2 min read

Authenticating to Microsoft SQL Server from a Linux container using Integrated Windows Authentication is a rather interesting challenge. In this post I'll show you how to configure a container to successfully authenticate to Microsoft SQL Server using a Kerberos ticket.

TL;DR Look at the Straypaper GitHub Repository with instructions on how to run the example.

Andi Kleinbichler's article provides a great starting solution to solve the authentication issue. After much searching and trial-and-error it became evident that a sidecar container was the better way to go as explained in this article by RedHat.

Problem

Authenticating a .NET or .NET Core application, running in a Linux-based container, to a Microsoft SQL Server using Integrated Windows Authentication.

As the application container is not domain-joined the application does not execute in the context of a domain service account. Therefore, it cannot authenticate to SQL Server using Integrated Windows Authentication. However, there is a solution using Kerberos.

Solution

Create a sidecar container to handle the authentication and renewal of the Kerberos tickets.

The following components make up the solution most notably the Kerberos-Sidecar, viz.,

  1. An application container that contains and runs the .NET application to connect to the MS SQL Server
  2. A Kerberos-Sidecar container that renews the Kerberos ticket on a specified interval
  3. An MS SQL Server that requires Integrated Windows Authentication, and
  4. An Active Directory.
  5. A Shared Volume between the Application Container and the Kerberos-Sidecar container which shares the Kerberos Ticket with the Application Container.

Process

Initially, the solution must be primed with long-term keys for the principal in the form of a keytab file. This keytab file is stored in Docker Swarm as a secret and is used to authenticate to the Key Distribution Center (KDC). Once the principal has been authenticated to the KDC a Ticket Granting Ticket (TGT) is issued and stored on the client. This TGT is used to request other tickets from the Ticket-Granting Service (TGS) which in this case to obtain a session ticket to access the MS SQL Server.

The Kerberos-Sidecar container uses the keytab file to authenticate to the KDC and uses the TGT to obtain a session ticket on behalf of the principal. This session ticket is then stored in the client cache and is shared with the application container via the shared volume.

Example

An example repository is available in this Straypaper GitHub Repository with instructions on how to run the example.

References

  1. ahmetgurbuz1/kerberos-sidecar: krb5-sidecar (github.com)
  2. Kerberos Sidecar Container (redhat.com)
  3. RFC 4120 - The Kerberos Network Authentication Service (V5) (ietf.org)

Sign up for more like this.

Enter your email
Subscribe