Reputation: 103
How to connect from ASP.NET Core application running in a container to SQL Server on Windows Server with Integrated Security
I have an ASP.NET Core application with a backend that uses Microsoft SQL Server running on Windows Server. This application was running on a Windows VM beforehand and we are moving to having it run in a container in OpenShift.
The application connects to SQL Server using integrated security with an Active Directory service account. If I pass in username and password in the connection string, will that just work?
I also found this article about using Kerberos to set this up (https://www.codeproject.com/Articles/1272546/Authenticate-NET-Core-Client-of-SQL-Server-with-In), but I am not sure it's a great pattern. I would appreciate any assistance.
EDIT: Sorry for not clarifying - it is a Linux container.
Upvotes: 3
Views: 4528
Answers (2)
Reputation: 103
So I think I basically figured this out and just wanted to share what I found. In .NET Core 2.x it is possible to have an application in a Linux container that is communicating with Microsoft SQL Server with integrated security, but it requires some Kerberos configuration and even more than that, a sidecar running a script to regularly renew both the Kerberos tickets and keytab files. I'm not a huge fan of this implementation, but it's discussed in the link in my original question. However, it does look like native support is expected in .NET Core 3.0. So I may be delaying this migration until 3.0 is out to make it easier on myself. A whole discussion around this is documented much better than I could put it right here: https://github.com/aspnet/AspNetCore/issues/4662
Thanks to all who commented - I appreciate your input.
EDIT: .NET Core 3.0 is out! Implementation of Windows Authentication can be found here: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-3.0&tabs=visual-studio
EDIT2: I ended up being pulled in a different direction unfortunately and was unable to finish implementing this. The above link may not be useful in actually getting integrated security to work with SQL Server.
Upvotes: 2
Reputation: 2256
If you are using a Windows container which I supposed you are, current user is not what you are expecting to. When you run the container unless you added users to that particular container you will find the user is a "container user" created for that purpose. Hence, connecting with Integrated Security won't work.
Connect to the container in a shell and check yourself:
docker exec -it [yourrunningcontainer] cmd
C:\somefolder\echo %username%
Will output "ContainerUser"
It is possible to create users inside of a container but for sure they will not belong to your Active Directory and sincerely, I don't see a simple way to install a lot of things to fake it from the container (your user in a AD context is not easy to "fake", in fact, very hard and I don't know a method that is not a very huge hack to do it)
There is a way to connect with a different user but you will be referring to the container user by id. Again, there is not an easy way to impersonate like an Active Directory user which I imagine it is what you are trying to do.
Upvotes: 1
Related Questions
- SQL Server docker cannot be accessed in .NET Application
- Connect ASP.NET Core container to remote SQL Server
- Can't connect from the Docker container with ASP.NET Core to SQL Server container
- Can't connect to SQL Server from .net core app
- Connect to SQL Server database from a docker container
- Can not connect to Docker SQL Server from Docker ASP.NET Core 3.1
- Cant connect to on premise SQL Server from ASP.NET Core 3.1 in Docker
- Connect to local SQL Server from .NET Core app running in docker
- Connect to SQL Server Developer from ASP.NET Core app running in Docker for Windows
- Docker on Windows Connecting to sql server from dotnetcore app