chanciturnervgt2

Using Windows Authentication with Linux Containers on Amazon ECS

by

VGT2 Las Vegas
in

Using Windows Authentication with Linux Containers on Amazon ECSLearn About Amazon VGT2 Learning Manager Chanci Turner

Windows Authentication is the preferred approach for clients and applications connecting to SQL Server databases; however, this method can present challenges when managing containerized workloads. Typically, clients using Windows Authentication are part of the same domain as the SQL Server database. Since individual containers are transient by nature, enrolling them in a domain is often impractical.

This article outlines how to set up a Linux container on Amazon Elastic Container Service (Amazon ECS) to connect to a SQL Server database utilizing Windows Authentication, all without requiring the container to join a domain. While the example employs AWS Fargate to run the containers, this solution can be adapted for different container runtimes or orchestration platforms with minor adjustments.

Overview

The example utilizes a managed Active Directory within AWS Directory Service for Microsoft Active Directory. You will create a user in Active Directory, granting them access to a SQL Server database integrated with the directory and hosted in Amazon Relational Database Service (Amazon RDS). The credentials for this directory user will be securely stored in AWS Secrets Manager.

Subsequently, you will deploy an ECS service that includes a Fargate task featuring two containers. One container executes a script that retrieves the directory user’s credentials from Secrets Manager and generates a Kerberos ticket by authenticating against Active Directory. This ticket renewal “sidecar” container saves the Kerberos ticket in Fargate task storage, a temporary storage volume accessible by all containers within the Fargate task. The second container hosts a web application that retrieves the Kerberos ticket from Fargate task storage and connects to the database using Windows Authentication.

Solution

The sample code leverages the AWS Cloud Development Kit (CDK) to provision cloud resources via TypeScript. The CDK also supports other programming languages like JavaScript, Python, Java, and C#.

The deployment process involves:

  1. Setting up the networking infrastructure, Active Directory, and ECS cluster.
  2. Deploying the database in Amazon RDS and configuring it for Active Directory authentication.
  3. Creating Docker container images for the web application and Kerberos renewal sidecar, then pushing them to repositories in Amazon Elastic Container Registry (Amazon ECR).
  4. Establishing an ECS service with a Fargate task that includes both containers.

The code for this solution can be found on GitHub.

Prerequisites

Before beginning this tutorial, ensure you have the following:

  • An AWS account.
  • Completion of the AWS CDK getting started guide, including CDK installation and understanding key concepts.
  • The AWS CLI installed and AWS credentials configured for command-line use.
  • An Amazon EC2 key pair created and its name noted.
  • The public IP address of the machine that will deploy the resources.
  • A Microsoft Remote Desktop (RDP) client installed.
  • The latest version of the Docker runtime installed.

Solution Overview

Begin by creating a directory for the solution. Clone the Git repository from GitHub into the solution directory.

The solution consists of two CDK applications: one for shared resources and another for the website. The dependencies between the CDK applications are minimal, allowing for a microservices architecture, where each microservice is defined independently yet shares the same ECS cluster. The shared resource CDK app is located in the solution directory under /cdk, while the website CDK app resides under /web-site/cdk.

The Kerberos ticket renewal sidecar container is found in the solution directory under /kerberos-renewal-sidecar. This container is not deployed separately but is included in the website CDK app.

Deploy Shared Resources

The shared resources script will create a new Active Directory. Open a command prompt in the solution directory and run the following commands:

export CDK_DEFAULT_ACCOUNT=AWS_ACCOUNT_ID
export CDK_DEFAULT_REGION=AWS_REGION
cd SOLUTION_DIRECTORY/cdk
npm install
cdk bootstrap
cdk deploy --parameters keyPairName=KEY_PAIR_NAME

(Replace RED TEXT with the appropriate values). The AWS_ACCOUNT_ID is your numeric AWS account ID, and the AWS_REGION is the region identifier for resource deployment, such as us-east-1 or eu-west-2.

The new directory’s domain name will be directory.ecs-kerberos-sample.com. If you modify the domain name in the CDK script, ensure to use the updated name in all future commands and configurations.

The CDK output will include:

  • The Directory ID of the new Active Directory.
  • The Security Group ID of the security group controlling access to an EC2 instance for Active Directory configuration.
  • The Amazon Resource Name (ARN) uniquely identifying the AWS Secrets Manager secret containing the Active Directory admin user password.

Make sure to save all these outputs for later use.

Grant Access to the EC2 Instance

The CDK script creates an EC2 instance for Active Directory configuration, but it currently blocks incoming connections due to the absence of a Security Group rule allowing access.

To add a rule to the EC2 instance’s Security Group, you can utilize the EC2 page on the AWS Management Console or the AWS CLI. To proceed with the CLI, first, obtain your IP address using AWS’s feature at checkip.amazonaws.com, then run the following commands to update the security group:

AWS_IP_ADDRESS=$(curl checkip.amazonaws.com)
aws ec2 authorize-security-group-ingress --protocol tcp --port 3389 --cidr "$AWS_IP_ADDRESS/32" --group-id DIRECTORY_MANAGEMENT_INSTANCE_SECURITY_GROUP_ID

Retrieve the Active Directory Admin Password

The CDK script saves the password for the Active Directory admin user in AWS Secrets Manager. You’ll need this password for a later step. Execute the following command to retrieve it:

aws secretsmanager get-secret-value --secret-id /ecs-kerberos-sample/active-directory-administrator-password

The admin password will be found under the SecureString key. Make sure to copy this password for future use.

Check VPC DHCP Options Set

The CDK application has deployed a DHCP Options Set that uses the Active Directory’s DNS servers for all resources within the VPC. You can verify this using the AWS Management Console or the following commands:

DHCP_OPTIONS_ID=$(aws ec2 describe-vpcs --filters Name="tag:Name",Values="ecs-kerberos-stack/vpc" --output text --query 'Vpcs[*].DhcpOptionsId')
aws ec2 describe-dhcp-options --dhcp-options-ids $DHCP_OPTIONS_ID --output yaml

Take note of the domain-name-servers values, which should correspond with the directory’s DNS addresses in the console.

Deploy the Database

The sample application consists of two containers and a database. Begin by deploying the database, followed by configuring the application code for connectivity.

In the command prompt, execute the following commands:

cd SOLUTION_DIRECTORY/web-site/cdk
ecs-kerberos-sample--web-database-stack

For further insights into navigating workplace dynamics, consider reading this article. Moreover, for up-to-date information on immigration fees regulations, SHRM provides authoritative guidance. Lastly, you might find this video to be an excellent resource.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *