How to configure a gMSA for Windows containers

How a group Managed Service Account works

A group Managed Service Account (gMSA) is often used to provide secure connections between two endpoints. Two endpoints can easily communicate with one another with the help of secrets provided by the gMSA. The overall idea is to run the service or application under the gMSA so it can access the required resources or connect to other systems using gMSA credentials. You must run Windows Server 2012 or later domain controllers to provide gMSA support to Windows containers.

Technically, gMSA implements a CredentialSpec process, which gMSA passes to the Windows container at boot time. Any process inside the container that uses local or network service accounts uses gMSA credentials. When an application inside the container must communicate with an application that is domain-joined, it uses gMSA credentials. The gMSA must have access to the file shares and data that application is meant to access.

Steps to configure a gMSA for Windows containers

It takes less than a minute to configure a gMSA to use for Windows containers, but you must properly execute the PowerShell commands below to generate a CredentialSpec file to use with Windows containers. Here are the steps:

Step 1: Create a gMSA in Active Directory

Your first step is to create a gMSA in Active Directory and then give the domain-joined Windows Container host access to the gMSA. Below is an example of how to create a gMSA using PowerShell:

Add-KdsRootKey -EffectiveTime ((get-date).addhours(-20));
New-ADServiceAccount -Name MyContAcc -DNSHostName app1.TechTarget.local -PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers", "domain admins", -KerberosEncryptionType RC4, AES128, AES256

The PowerShell commands above configure a MyContAcc gMSA that the Windows container applications will use.

Step 2: Configure permissions for the gMSA

Make sure you provide the appropriate level of permissions so the gMSA can access the required resources for the Windows container application. For example, if an application requires access to file shares or databases, make sure to configure access for the gMSA on the computers hosting those resources.

Step 3: Install the gMSA on the container host machine

To do this, execute the PowerShell commands below on the Windows container host machine:

Get-ADServiceAccount -Identity MyContAcc
Install-ADServiceAccount -Identity MyContAcc

Step 4: Add SPN to avoid login prompts

Add a server principal name (SPN) in Active Directory to avoid login prompts in browsers. You can add an SPN for the gMSA by using adsiedit.msc.

Step 5: Generate a JSON file

You must generate a CredentialSpec file to pass to the container during startup. Please execute the PowerShell commands below, which generate a file that enables Active Directory authentication for Windows containers:

Invoke-WebRequest "https://raw.githubusercontent.com/Microsoft/Virtualization-Documentation/live/windows-server-container-tools/ServiceAccounts/CredentialSpec.psm1" -UseBasicParsing -OutFile $env:TEMP\AppCred.psm1
Import-Module $env:temp\AppCred.psm1
New-CredentialSpec -Name win -AccountName MyContAcc

Once you execute the above PowerShell commands, the system generates a file in JSON format that you can use to start the container.

Step 6: Start the container with the CredentialSpec file

Finally, you must start the container with the CredentialSpec file, as shown in the command below:

docker run -d -p 8080:80 -h MyContAcc -security-opt "credentialspec=file://AppCred.json"

After you launch the Windows container, the application services running inside the container use the MyContAcc gMSA credentials.