gMSA | fun code for dealing with AD Group Managed Service Accounts | TCP library

Setup: We have setup on our windows VM (on-premises) to run docker (windows container) + gMSA / service account for our ASP.NET Core 5 API - internally running on Kestrel with .AddAuthentication(NegotiateDefaults.AuthenticationScheme).AddNegotiate(); (NOT IIS). It authenticates well as the configured service account e.g. against MSSQL or the File Server. If I open up any protected endpoint its using my windows credentials or is asking me (if not on a domain joined computer). The user test endpoint return the windows users claims.

This just the API which works fine!

Issue: The "issue" is, that our VueJS application is running in a docker container (linux containers) on a linux host - inside hosted via nginx. Same network. After opening the UI the first time (without having opened the API) no authentication request is happening. The interesting part is: After opening the API the first time and entering windows credentials and then opening the UI works and shows the use/claims (which we return from the backend).

In the frontend we are using axios with withCredentials: true.

Question: What must be done to enable the UI to negotiate the windows login?

I'm currently trying to make some improvements to some old (and soon to be phased out) infrastructure in preperation for a move to .NET core. We have a small feedback form which writes into a SQL table using SQLOLEDB connection strings. These strings works fine with a username/password defined in cleartext though I am looking to move away from this method in favour of integrated authentication.

I have done a lot of work to get to where I am:

1. Built a docker container based on IIS with ASP features installed.
2. Running the container in a swarm on a Windows host - joined to our AD domain.
3. Setup gMSAs in order to provide domain account access to the database.

At present, I've ran through all the steps in MS' gMSA on Windows Containers guide (https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts). The tests check out, I'm able to run all the tests in https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/gmsa-troubleshooting#check-the-container with no issues, however when I try to connect using my connection string, I receive an error in my logs showing:

I am trying to create a task on windows 2016 server, and need to deploy gMSA account as the log on account and below is the script i am using, i need to ensure that the option- "Run whether user is logged or not" gets selected,what change should be made to below code?

We have a PowerShell script that will enumerate the members of a specified AD group and then will create a text file with login ID and Name. The script will when create an email to Managers informing them of the membership of the AD Groups that manage there application/service. The issue we are having is with the following line:

For a POC for using AD on the google cloud with kuberenetes, I created a managed active directory, as is described in this link.

To add a gMSA account for the AD, I looked at this documentation. It looks like I should use the New-ADServiceAccount command from the AD VM. However, when looking at the domain I've created on pantheon , I couldn't find the VM it is on. The interface does not give me any clues as to how I could add users, or do anything with the domain.

Any help will be appreciated. Thank you,

I need to setup a windows authentication in Kubernetes. And to configure GMSA in K8s for pods and containers in windows, I came across this link:-(https://kubernetes.io/docs/tasks/configure-pod-container/configure-gmsa/).

This documentation has a step which confirms to “Install Webhooks to validate GMSA users”. To follow this step a linux/unix script is asked to execute which generates certificates, private key and other values and substitue in YAML file which is further executed on a Kubernetes cluster. As mentioned in a screenshot below (part of mentioned link)

Now I have a Kubectl client installed on Windows machine and even all images created and deployed on windows container running on windows server 2019 only.

I cannot execute this unix/linux script to create Webhook from windows machine. Is there any other way to achieve this step.

Thanks