3

I have an ASP.NET Core application with a backend that uses Microsoft SQL Server running on Windows Server. This application was running on a Windows VM beforehand and we are moving to having it run in a container in OpenShift.

The application connects to SQL Server using integrated security with an Active Directory service account. If I pass in username and password in the connection string, will that just work?

I also found this article about using Kerberos to set this up (https://www.codeproject.com/Articles/1272546/Authenticate-NET-Core-Client-of-SQL-Server-with-In), but I am not sure it's a great pattern. I would appreciate any assistance.

EDIT: Sorry for not clarifying - it is a Linux container.

Improve this question
2
  • "a container in OpenShift" to too broad. what is the base of your container? windows or linux? Commented Sep 19, 2019 at 20:39
  • My apologies, it is a Linux container. Commented Sep 20, 2019 at 13:15

2 Answers 2

Reset to default
2

So I think I basically figured this out and just wanted to share what I found. In .NET Core 2.x it is possible to have an application in a Linux container that is communicating with Microsoft SQL Server with integrated security, but it requires some Kerberos configuration and even more than that, a sidecar running a script to regularly renew both the Kerberos tickets and keytab files. I'm not a huge fan of this implementation, but it's discussed in the link in my original question. However, it does look like native support is expected in .NET Core 3.0. So I may be delaying this migration until 3.0 is out to make it easier on myself. A whole discussion around this is documented much better than I could put it right here: https://github.com/aspnet/AspNetCore/issues/4662

Thanks to all who commented - I appreciate your input.

EDIT: .NET Core 3.0 is out! Implementation of Windows Authentication can be found here: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-3.0&tabs=visual-studio

EDIT2: I ended up being pulled in a different direction unfortunately and was unable to finish implementing this. The above link may not be useful in actually getting integrated security to work with SQL Server.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Does this work for anyone ? @josef can you give a little bit on detail explanation
@Josef H., how were you able to connect to SQL using Integration Security from an AKS Linux container? I am having the same issue but it is not clear to me how the article "Windows Authentication" that you posted helps. Thank You,
I unfortunately ended up being pulled in different directions in my work and have indefinitely put this project on the back burner. I didn't end up finishing implementing the authentication I wanted. I will update the comment to reflect that I was not able to get this to a fully working state.
1

If you are using a Windows container which I supposed you are, current user is not what you are expecting to. When you run the container unless you added users to that particular container you will find the user is a "container user" created for that purpose. Hence, connecting with Integrated Security won't work.

Connect to the container in a shell and check yourself:

docker exec -it [yourrunningcontainer] cmd

C:\somefolder\echo %username%

Will output "ContainerUser"

It is possible to create users inside of a container but for sure they will not belong to your Active Directory and sincerely, I don't see a simple way to install a lot of things to fake it from the container (your user in a AD context is not easy to "fake", in fact, very hard and I don't know a method that is not a very huge hack to do it)

There is a way to connect with a different user but you will be referring to the container user by id. Again, there is not an easy way to impersonate like an Active Directory user which I imagine it is what you are trying to do.

Improve this answer

3 Comments

Sorry for not clarifying - this is actually a Linux container. Thank you for the comment though.
Linux containers will not behave so different. You can create users inside of the container but these users will not be network users. I am trying to think on a way you can overcome this.
Thank you for all of your input again. I put an additional answer down below that I was able to come to based on a long thread I finally found in the aspnetcore GitHub project if you're curious to check it out.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.