Quickly grant access to a user group when starting a NAV container

Quickly grant access to a user group when starting a NAV container

19. Februar 2018

Quickly grant access to a user group when starting a NAV container

As we use Docker containers internally to quickly spin up environments for reproducing bugs, delivering fixes on older releases or quickly test our application, we needed a way to easily grant access to a specific Active Directory user group. When starting a container, we want the following actions to be taken:

Luckily, the official Docker image for NAV makes customization very easy and we can just override the AdditionalSetup.ps1-script and run our custom scripts. You can find these scripts in Tobias‘ GitHub repository.

The setupDevDbAccess.ps1-script just adds a SQL user for the domain user group to the local database if it not already exists. The domain and group name are taken from the environment variables DevDomain and DevGroup.

The script setupDevNavUsers.ps1 uses the ActiveDirectory PowerShell module and therefore installs the corresponding Windows feature. Afterwards it retrieves every single user of the group specified in DevGroup, checks if it already has a NAV user and if not, creates it.

Note that the container needs access to the Active Directory domain for this to work. This can be achieved with the use of gMSAs. Jakub Vanak provided a script in his repository, which shows how to easily create a gMSA.

With the gMSA set up and the use of the folders feature we can start a container with the custom scripts:

docker run --rm -e accept_eula=y -e auth=Windows --network MyTransparentNetwork --security-opt "credentialspec=file://releaseX.json" --name releaseX --hostname releaseX -e folders="c:\run\my=https://github.com/tfenster/nav-docker-samples/archive/grant-user-access.zip\nav-docker-samples-grant-user-access" -e DevDomain=SUPER-COMPANY -e DevGroup=ALL_DEVS microsoft/dynamics-nav:2017-cu14

Docker uses the CredentialSpec to run the container with the specified gMSA. To access the domain, the container connects via a transparent network. While the container starts, the custom scripts are downloaded from the GitHub repository and the users are created.

This way, we can easily grant access to a user group in a couple of seconds while starting the NAV container. Awesome!

5 Kommentare zu “Quickly grant access to a user group when starting a NAV container”

  1. Hello Markus
    I am building similar system for our company’s internal use. Your blog has been inspiration to me, and it is just great that you share your knowledge with others struggling with same problems.
    I have managed to implement this system so far that I should run the docker image, but then I cannot find the structure or information what should be included in credentialspec file.
    Can you elaborate this a bit?

  2. Hello Urpo,

    great that the blog helps you. Did you have a look at Jakub’s script (https://github.com/Koubek/nav-docker-examples/blob/master/gmsa/New-gMSA.ps1) I mentioned? You basically just need to run e.g.

    New-gMSA -HostNames @(‚YourContainerHostName‘) -SecGroupPath ‚OU=mygMSAs,DC=mydomain,DC=com‘ -PrincipalsAllowedToRetrieveManagedPassword @(‚DockerGMSAGroup‘)

    For the script to work the user who runs the script must have the rights to create gMSAs in the specified ActiveDirectory OU. Also the AD PowerShell tools must be installed first (Add-WindowsFeature rsat-ad-powershell) and the Docker host must be member of the group specified in the last parameter to have access to the created gMSA.

    The script automatically creates the credentialspec file in C:\ProgramData\docker\credentialspecs\YourContainerHostName.json so that it can be used in the docker run command with –security-opt „credentialspec=file://YourContainerHostName.json“

    If your’re still struggling, feel free to contact me via Twitter or LinkedIn.

  3. Hi Tobias,
    thankyou very much for your post.
    I would like to use the AD authentication to spin up a nav container and make it usable from all developers group of my domain.
    Actually I use a script to create a dockerized sql db, and another one to run bc container with navuserpassword:

    Do you have any suggestion to make it possible?
    Thanks in advance for the support

  4. Hi Pellic,

    you’re missing the parameters for adding the custom scripts as well as the gMSA (for the container to have access to your domain):
    –security-opt „credentialspec=file://$ContainerName.json“ –hostname $ContainerName -e folders=“c:\run\my=https://github.com/tfenster/nav-docker-samples/archive/grant-user-access.zip\nav-docker-samples-grant-user-access“ -e DevDomain=SUPER-COMPANY -e DevGroup=ALL_DEVS

    The name of the gMSA, the hostname and container name must be identical. You can create the gMSA with the script of Jakub (which also creates the JSON file): https://github.com/Koubek/nav-docker-examples/blob/master/gmsa/New-gMSA.ps1

    You should be able to add those Parameters to your $additionalParameters in your BCOnPremContainerWithSQLDockerizedDB_.ps1 script.

  5. Good morning! .
    We are engaged in Queensview big eight years, during this period we working exclusively female employees , on Dry cleaning chairs and Maid service. Home maid clean maintains order and cleanliness in living room by set schedule . We employ exclusively qualified Maid , ready to take on Cleaning cleaning of the most varied complexity and implement it very fast and good. When wewe are talking about a large apartment, we provide to the customer necessary number staff. We offer as experienced personnel , but also additionally prices affordable for each customer for Maid service в Astoria Heights. For the opportunity place an order Dry-cleaning padded stools and Maid service in my area advise you personally visit our site in Meatpacking District. The Remove Building cleaning services с Maid service in my area usually more pleasant in Beechhurst

    We provide expert deep housecleaning nyc for exclusive customers. Utilizing European equipment as well as accredited devices, we attain maximum results and supply cleaning in a short time.

    Our friendly team offers you to obtain accustomed with beneficial terms of collaboration for corporate clients. We sensibly approach our tasks, tidy using specialist cleaning items as well as specific tools. Our employees are educated, have clinical publications and recognize with the nuances of removing complicated as well as hard-to-remove dust from surfaces.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.