Active directory accounts inside a windows container (server 2016 TP5)

Update: this answer is no longer relevant - was for 2016 TP5. AD support has been added in later releases

Original answer Quick answer - no, containers are not supported as part of AD so you can't use AD accounts to run processes within a container or authenticate with it

This used to be mentioned on the MS Containers site but the original link now redirects.

Original wording (CTP 3 or 4?): "Containers cannot join Active Directory domains, and cannot run services or applications as domain users, service accounts, or machine accounts."

I don't know if that will change in a later release.

Someone tried to hack around it but with no joy.


There are at least some scenarios where AD-integration in Docker container actually works:

  1. You need to access network resources with AD credentials.
    1. Run cmdkey /add:<network-resource-uri>[:port] /user:<ad-user> /pass:<pass> under local identity that needs this access
    2. To apply the same trick to IIS apps without modifying AppPoolIdentity you'll need a simplest .ashx wrapper around cmdkey (Note: you'll have to call this wrapper in run-time, e.g.: during ENTRYPOINT, otherwise network credentials will be mapped to different local identity)
  2. You need to run code under AD user
    1. Impersonate using ADVAPI32 function LogonUser with LOGON32_LOGON_NEW_CREDENTIALS and LOGON32_PROVIDER_DEFAULT as suggested
  3. You need transport layer network security, like when making RPC calls (e.g.: MSDTC) to an AD-based resources.
    1. Set up gMSA by using any guide that suites you best. Note however, that gMSA requires Docker host to be in the domain.