connect to window docker container through Active Directory

  active-directory, docker, windows-container

I’m trying to connect to SQL Server in docker window container through an Active Directory.

I have found that I need to create an gMSA (group Managed Service Account):

On the AD server I have done:

Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

New-ADGroup -Name "Docker Authorized Hosts" -SamAccountName "docker" -GroupScope DomainLocal

New-ADServiceAccount -Name "docker" -DnsHostName "docker.gptest.local" -ServicePrincipalNames "host/docker", "host/docker.gptest.local" -PrincipalsAllowedToRetrieveManagedPassword "docker"

Add-ADGroupMember -Identity "docker" -Members "ie10win10$"

Domain is called gptest.local, ie10win10 is my test computer name with Docker installed to tests it.

On the ie10win10 pc after restart I’m checking the domain and it works ok:

 nltest /sc_verify:gptest.local 


enter image description here

In next step I created credential spec:

New-CredentialSpec -AccountName Docker

which contains:

  "CmsPlugins": ["ActiveDirectory"],
  "DomainJoinConfig": {
    "Sid": "S-1-5-21-592862003-1388571531-1992065655",
    "MachineAccountName": "Docker",
    "Guid": "c47ec2b1-955c-4fb9-8eb8-c1cdd1f1ac3f",
    "DnsTreeName": "gptest.local",
    "DnsName": "gptest.local",
    "NetBiosName": "GPTEST"
  "ActiveDirectoryConfig": {
    "GroupManagedServiceAccounts": [
        "Name": "Docker",
        "Scope": "gptest.local"
        "Name": "Docker",
        "Scope": "GPTEST"


and container:

docker run -d -p 1433:1433 --name docker -e [email protected]#$%^ --security-opt "credentialspec=file://gptest_docker.json" --hostname docker -e ACCEPT_EULA=Y microsoft/mssql-server-windows-developer

Unfortunatelly in the container, the nltest result is:

enter image description here

I have no clue why it doesn’t work.
In here I have found that to make sure, that:

"Container networks allow the containers to communicate with the Active Directory Domain Controllers to retrieve gMSA tickets"

But how can I check that?

Source: Docker Questions