6

Is it possible to logon to, for example, a SQL server database using a domain account from a windows server container (either hyper-v or regular container)? As I understand you can't domain join the container itself (neither server Core nor server Nano base image). Does it matter if the host is domain joined?

Thomas
  • 469
  • 6
  • 16
  • 1
    Why the downvote to a question that concerns all .NET developers that would like to use SQL Server from an image? – Panagiotis Kanavos Oct 31 '16 at 10:01
  • 1
    It doesn't matter whether the machine is joined to a domain. What matters is whether SQL Server can interrogate the user's domain to validate the Windows logon. This requires *at least* openiing specific ports and using a service account that can talk to the user domain. That's similar to accessing databases in a DMZ from an intranet. – Panagiotis Kanavos Oct 31 '16 at 10:06
  • Why I ask I because our applications (Asp applications hosted in a server) are using both SQL Server and Websphere MQ today where a service account (domain account) is used for authentication. Let's say we use the same server as container hoat, will the app in the container be able to authenticate to SQL server and WMQ? I don't understand if he container has to be domain joined for this or not. – Thomas Nov 02 '16 at 17:55

2 Answers2

1

For those that really need domain authentication in SQL Server containers, There is a solution from Windocks that has domain authentication by default. The SQL Server containers use the domain accounts specified in the default instance in each container. So if you had an account named \ that had access to the default SQL Server instance, then will also have access to the container. Sa specific to each container is also available. See the Windocks site about Docker SQL Server containers for more information.

rameshpa
  • 555
  • 5
  • 5
  • 1
    Is @rameshpa the same person as: "Ramesh Parameswaran - Founder and CEO - Ramesh is the founder and chief technical architect of Windocks."? https://windocks.com/lps/about – derekbaker783 Nov 27 '20 at 20:34
0

As you can read in the Windows Container Forum it is currently not possible to let a container join a Domain. As they point out, there should be a way in the future to allow a service to authenticate againt another service within the domain. But there are no more details about it. (Okt 2016)

lanwin
  • 540
  • 4
  • 6
  • 1
    The link actually mentions that you *can* use managed service accounts from a domain. This may be enough to allow SQL Server's service account to authenticate domain credentials – Panagiotis Kanavos Oct 31 '16 at 10:12
  • I will try this tomorrow in a Server Core container image. I will let you know if it works. – Thomas Nov 02 '16 at 17:57
  • When I tried using a sevice account (domain account) SQL Server just says "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.". Regular SQL Server account works. – Thomas Nov 03 '16 at 09:15
  • 1
    @Thomas this is a very recent update to that topic: http://stackoverflow.com/a/40444548/5273580 – Falco Alexander Nov 12 '16 at 09:59