Containers and Integrated Windows Authentication
Authenticating to Microsoft SQL Server from a Linux container using Integrated Windows Authentication.
Authenticating to Microsoft SQL Server from a Linux container using Integrated Windows Authentication is a rather interesting challenge. In this post I'll show you how to configure a container to successfully authenticate to Microsoft SQL Server using a Kerberos ticket.
TL;DR Look at the Straypaper GitHub Repository with instructions on how to run the example.
Andi Kleinbichler's article provides a great starting solution to solve the authentication issue. After much searching and trial-and-error it became evident that a sidecar container was the better way to go as explained in this article by RedHat.
Problem
Authenticating a .NET or .NET Core application, running in a Linux-based container, to a Microsoft SQL Server using Integrated Windows Authentication.
As the application container is not domain-joined the application does not execute in the context of a domain service account. Therefore, it cannot authenticate to SQL Server using Integrated Windows Authentication. However, there is a solution using Kerberos.
Solution
Create a sidecar container to handle the authentication and renewal of the Kerberos tickets.
The following components make up the solution most notably the Kerberos-Sidecar, viz.,
- An application container that contains and runs the .NET application to connect to the MS SQL Server
- A Kerberos-Sidecar container that renews the Kerberos ticket on a specified interval
- An MS SQL Server that requires Integrated Windows Authentication, and
- An Active Directory.
- A Shared Volume between the Application Container and the Kerberos-Sidecar container which shares the Kerberos Ticket with the Application Container.
Process
Initially, the solution must be primed with long-term keys for the principal in the form of a keytab file. This keytab file is stored in Docker Swarm as a secret and is used to authenticate to the Key Distribution Center (KDC). Once the principal has been authenticated to the KDC a Ticket Granting Ticket (TGT) is issued and stored on the client. This TGT is used to request other tickets from the Ticket-Granting Service (TGS) which in this case to obtain a session ticket to access the MS SQL Server.
The Kerberos-Sidecar container uses the keytab file to authenticate to the KDC and uses the TGT to obtain a session ticket on behalf of the principal. This session ticket is then stored in the client cache and is shared with the application container via the shared volume.
Example
An example repository is available in this Straypaper GitHub Repository with instructions on how to run the example.