I would like to use Windows authentication to access an ASP.NET application, hosted in a Windows Container (in Windows Server 2016 TP4). For this, I presume I need to add the container to the Active Directory domain. Is it all possible to add a Windows Container (or Hyper-V Container) to a domain? There is no clear documentation from Microsoft on this, and I myself tried adding the container to the domain using PowerShell, but with no luck.
If domain joining a Container is not supported, is there any alternative way to enable Windows Authentication in a web application hosted in a Windows or Hyper-V Container?
Any input will be highly appreciated.
Microsoft recently provided a solution for containers accessing resources using domain credentials: group managed service accounts.
Although Windows Containers cannot be domain-joined, they can also
take advantage of Active Directory domain identities similar to when a
device is realm-joined. With Windows Server 2012 R2 domain
controllers, we introduced a new domain account called a group Managed
Service Account (gMSA) which was designed to be shared by services.
Additionally, here's a guide that walks through the specific steps in detail, covering the following:
Deploying containers with an emulated domain identity is simple, and
based around existing workflows using Windows Server and Active
Directory.
Deploying this feature requires:
An existing Active Directory domain, running at Windows Server 2012 or
later functional level
Windows Server 2016 with the Container role and
Docker installed. This will be referred to as a Container host. These
hosts need to be joined to the domain.
This guide will cover the
following steps to deploy a container in detail:
Create a group Managed Service Account in the Active Directory for
each application/service
Give each container host access to use the
group Managed Service Account
Add configuration files on each
container host that store details about the group Managed Service
Accounts. These will be referred to as Credential Specs
Start
containers with a parameter telling which credential spec to use
Extract of the Windows Containers - Work in progress
"Containers cannot join Active Directory domains, and cannot run services or applications as domain users, service accounts, or machine accounts."
Related
I need some help here. I have a website in asp.net and a database in my local machine, and I'm setting up a testing enviroment so that I can access the site and the database from outside the local network and make tests. I want to set up a server in my windows 10 using IIS to publish the site, and I already know how to publish a asp.net site through Visual Studio and IIS manager. My only issue now is to make it available outside my network. Is there a easier way of doing this than having to buy a domain and a hosting service?
You could create a free azure app:
https://azure.microsoft.com/en-gb/pricing/calculator/#app-service1
You can run a single website (asp.net) and not need to register a domain it will give you a link publicly available on the web.
Whoops, sorry, the database wouldn't be free however the basic version is not expensive. This is in fact what I run for my own test cases.
In order to host at home, you would need to ensure that you had a static IP address and that port 80 was opened to allow traffic in and out.
https://serverfault.com/questions/1058/how-do-i-set-up-a-web-server-out-of-my-home
I have developed a Dot Net based web application that uses matlab code compiled into dlls and deployed it on local server with 'Matlab' instsalled. It works on local server well. However, I want to deploy it on a hosting domain for ease of access. But I dont know about any hosting providers that support working of matlab dlls with web application. Is there any suggestion about such hosting providers and how should I deploy it on a hosting domain.
PS: on my remote server i had to install Matlab to run that application when deployed on IIS server ie with just mcr instlled the application was not working.
I'm doing it for the first time so I dont know much about it.
On this paper explains how to put matlab on Amazon EC2
Amazon had AMI instances
MATLAB AMI on EC2
The pre-built AMI offerings on Amazon have been depreciated and will no longer be available. You are able to work with Amazon or another cloud service provider to get you own machine instance and use your license there.
To best run MATLAB on a cloud instance, you will need your license configured as a Login Named User (LNU). If you have an Individual or Group license activated as a Standalone Named User , you can configure it as an LNU at [https://www.mathworks.com/licensecenter/lnu.][3]
Also on windows azure
You can get any host provider with IAAS and apply matlba LNU license
I have installd IIS server in windows azure virtual machine using ARM template also deployed one application. But when I am accessing the DNS name/Public IP of my VM the default IIS server is coming. I am unable to access my website.
Please give some idea how to access the deployed website using DNS name or public IP.
I am following the below github template for application deployment:
https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-vm-dsc
In case you are using Visual Studio 2012 or higher, you can create PublishProfile and use the Publish feature in order to deploy your Web App to Azure service. Refer to the Build->Publish menu item.
I don't know if your website is reachable on port 80 but you have to setup a VM endpoint if you want your site to be published on another port than the default one.
Hope it helps !
If you're using the sample quickstart "as is" the problem is likely that you're missing the virtual application in the path (it's probably not the best sample). If you're hitting the VM using an URI like this:
http://your-dns-name.westus.cloudapp.azure.com
You need to add the web app path onto the end, e.g.
http://your-dns-name.westus.cloudapp.azure.com/webapplication
You can double check the name of the web application by using IIS Manager on the VM, but I think that should be the default name for that quickstart sample.
We have an Active Directory domain sitting on a networked Azure VM and have a separate Azure WebApp/Website that is running Orchard CMS on the same virtual network.
Do webapps support windows authentication for connecting to Active Directory? If so, how do I go about setting it up in IIS?
No, it's not possible. In order to have Windows Authentication is something for on-premise deployments. For Azure Web Sites Azure Active Directory is clearly the best option. Sync from AD to Azure Active Directory is also quite easy to setup.
If you still want to absolutely use Windows Auth and host your website on Azure, you can create Windows VM and host your website there. You then need to join the VM to your AD. To this, both VMs must be in the same network. So if your VM is on-premise you will need to create an site-to-site VPN
Yes, you can connect your web app to Azure Active Directory.
The simplest option is Azure Easy Authentication
http://azure.microsoft.com/en-us/documentation/videos/azure-websites-easy-authentication-and-authorization-with-chris-gillum/.
That's a one click way to authenticate your site.
You could setup Active Directory Federation Services for Windows AD, and use SAML or OpenID Connect. It would prompt the user for their windows credentials
I have a remote web server that I have full administrator access over, and I want to deploy a website.
When I use Visual Studio's Publish tool, among other things which seem a bit less convenient (FTP etc), I have the option of using either Windows Management Service or Remote Agent Service. All the documentation says is this:
To publish remotely through Remote
Agent Service, use
http://RemoteComputerName. This option
is typically used to deploy a Web
application inside a network (in an
intranet scenario). You must have
appropriate permissions to perform the
deployment on the destination server.
To publish to a hosting site using
Windows Management Service, use the
value that is specified by the hosting
provider. You can typically use just a
server name (HostedRemoteServer) or a
complete URL that includes a server
name, a port number, and the Web
Deploy handler name
(https://HostedRemoteServer:8172/MsDeploy.axd).
The hosting provider can tell you the
name of the server and the port
number, if applicable.
This isn't enough information for me to decide, though. Yeah, I'm not publishing over a network, but I do have full access over the machine I'm deploying to. At the same time, MsDeploy is the big fancy thing that Scott Hanselman describes in his talk and that I've been convinced as being the awesome way to deploy.
So which should I do? Are there any obscure security considerations or anything?
I recommend going the Management Service route. In addition to the msdeploy features, the Management Service feature gives you the ability to remotely administer IIS 7/7.5 from your machine. With all of your IIS servers in one console, you can easily export an application on one machine and import it onto another.
It seems like the most sophisticated msdeploy implementation from a security provisioning perspective and from a configuration perspective. The IIS manager allows you to easily configure details around the endpoint (SSL certificate, port, etc.). Well.. this is true on IIS 7/7.5 on Windows 2008 and R2, but not on Windows Vista or 7. For some strange reason, there is no UI for the Web Management settings on non-server SKU's.
The agent is basically a self contained web server without any of the user-level permissions capabilities. This is why it requires that the person doing the remote deployment has admin privileges on the target machine. It's feels like a simpler, bare metal implementation. Since you've already got IIS serving up HTTP/HTTPS and since IIS' HTTP implementation has kernel-level optimizations, you're not really gaining anything by going the agent route.
If you want to remotely administer Windows 2008 or R2 from Windows Vista/7, install this on your workstation: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=32c54c37-7530-4fc0-bd20-177a3e5330b7 ... this was the icing on the cake for me.