Ask questions.Net ASP.Net Webapp in Container loose Primary Domain Trust randomly after some days runtime
.Net ASP.Net and .Net Core ASP Webapplication in Container loose Primary Domain Trust randomly after some days of runtime
All Containers use the same GSMA Account(Credspec File), and Applications authenticate with kerberos.
After runtime of like 7 - 14 Days randomly or restart of a big bunch of container ~15 some application loose primary domain trust
In the Container itself, the Domain Trust seems to be there.
nltest /parentdomain is Successfully
Test-ComputerSecureChannel is also ok
Steps to get the Application working again
Restart the Container Instance(sometimes a double restart is needed)
Or we restart netlogon service in the container, then it starts working again!
Steps to reproduce the issue:
Hard do reproduce, when we restart all containers, randomly some of them got the domain trust error
Describe the results you received:
web application throw error on .net call .IsUserInRole(xxx), doesnt matter if code is in Core or full framework and its also not .Net Version Depending
Got follow trace
An unhandled exception has occurred: The trust relationship between this workstation and the primary domain failed, System.ComponentModel.Win32Exception (0x80004005): The trust relationship between this workstation and the primary domain failed ,at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean& someFailed) ,at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess) ,at System.Security.Principal.WindowsPrincipal.IsInRole(String role)
Describe the results you expected:
Domain Trust is stable with GMSA Accounts
Client: Version: 18.05.0-ce API version: 1.30 (downgraded from 1.37) Go version: go1.9.5 Git commit: f150324 Built: Wed May 9 22:12:05 2018 OS/Arch: windows/amd64 Experimental: false Orchestrator: swarm Server: Engine: Version: 17.06.2-ee-14 API version: 1.30 (minimum version 1.24) Go version: go1.8.7 Git commit: 6345dd7 Built: Thu Jun 21 18:28:51 2018 OS/Arch: windows/amd64 Experimental: false
Containers: 21 Running: 21 Paused: 0 Stopped: 0 Images: 23 Server Version: 17.06.2-ee-14 Storage Driver: windowsfilter Windows: Logging Driver: json-file Plugins: Volume: local Network: l2bridge l2tunnel nat null overlay transparent Log: awslogs etwlogs fluentd json-file logentries splunk syslog Swarm: inactive Default Isolation: process Kernel Version: 10.0 14393 (14393.2339.amd64fre.rs1_release_inmarket.180611-1502) Operating System: Windows Server 2016 Standard OSType: windows Architecture: x86_64 CPUs: 4 Total Memory: 8GiB Name: fj-v-docker1 ID: P3GE:EPMA:BCI4:XQTE:XHYN:AG2V:XZ37:627A:HTI3:3O5Y:GKKG:A2WX Docker Root Dir: C:\ProgramData\docker Debug Mode (client): false Debug Mode (server): false Registry: https://index.docker.io/v1/ Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false
Updated Windows Server 2016 in a VMWare Cluster all Containers with multiple .Net Framwork and .Net Core Containers
Provision the container with ansible - docker_container module
All Containers have a dedicated IP with transparent docker network
Answer questions daBONDi
@Faheemitian you also reverseproxy with haproxy infront?