I'm trying to get my ASP.NET Core 9 Blazor App to work with Windows authentication running in a docker container.
I wrote this dockerfile:
FROM mcr.microsoft.com/dotnet/aspnet:9.0 AS base# Temporär als Root arbeiten, um Bibliotheken zu installieren#USER rootWORKDIR /app# Installiere die Bibliothek und Tools für Kerberos-AuthentifizierungRUN apt-get update && apt-get install -y libkrb5-3 libgssapi-krb5-2 krb5-user krb5-configRUN apt-get update && apt-get install -y libsasl2-modules-gssapi-mit libsasl2-modules gss-ntlmsspRUN apt-get update && apt-get install -y iputils-ping dnsutils telnet ldap-utilsRUN rm -rf /var/lib/apt/lists/* # Kopiere die Kerberos-Konfiguration und Keytab-DateienCOPY ["Brit/krb5.conf", "/etc/krb5.conf"]COPY ["Brit/brit.keytab", "/etc/krb5.keytab"]# Setze Umgebungsvariablen für KerberosENV KRB5_CONFIG=/etc/krb5.confENV KRB5_KTNAME=/etc/krb5.keytabENV KRB5CCNAME=/tmp/krb5cc_0# Setze Keytab-Datei auf sichere BerechtigungenRUN chmod 600 /etc/krb5.keytab \&& chown ${APP_UID:-1000}:${APP_GID:-1000} /etc/krb5.keytab# Wechsle zurück zum Nicht-Root-BenutzerUSER $APP_UIDEXPOSE 8080EXPOSE 8081FROM mcr.microsoft.com/dotnet/sdk:9.0 AS buildARG BUILD_CONFIGURATION=ReleaseWORKDIR /srcCOPY ["Brit/Brit.csproj", "Brit/"]COPY ["ApplicationModels/ApplicationModels.csproj", "ApplicationModels/"]COPY ["KeyTechServices/KeyTechServices.csproj", "KeyTechServices/"]COPY ["StarfaceServices/StarfaceServices.csproj", "StarfaceServices/"]RUN dotnet restore "Brit/Brit.csproj"COPY . .WORKDIR "/src/Brit"RUN dotnet build "Brit.csproj" -c $BUILD_CONFIGURATION -o /app/buildFROM build AS publishARG BUILD_CONFIGURATION=ReleaseRUN dotnet publish "Brit.csproj" -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=falseFROM base AS finalWORKDIR /appCOPY --from=publish /app/publish .ENTRYPOINT ["dotnet", "Brit.dll"]And in my program.cs I added negotiation:
using Brit.Components;using Brit.Services;using KeyTechServices.Extensions;// using KeyTechServices.Services;using Microsoft.AspNetCore.Authentication;using Microsoft.AspNetCore.Authentication.Negotiate;using MudBlazor.Services;using StarfaceServices.Extensions;using StarfaceServices.Services;var builder = WebApplication.CreateBuilder(args);builder.Services.AddMemoryCache();// Add windows based authenticationbuilder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme) .AddNegotiate();// Add basic authorizationbuilder.Services.AddAuthorization(options => { options.FallbackPolicy = options.DefaultPolicy; });// Add MudBlazor servicesbuilder.Services.AddMudServices();// Add services to the container.builder.Services.AddRazorComponents() .AddInteractiveServerComponents();// Add Cascading Authentication Statebuilder.Services.AddCascadingAuthenticationState();// Add claims transformationbuilder.Services.AddSingleton<IClaimsTransformation, ClaimsTransformationService>();// Logging im HttpClient anpassenbuilder.Logging.AddFilter("System.Net.Http.HttpClient", LogLevel.Warning);builder.Logging.AddFilter("System.Net.Http", LogLevel.Warning);builder.Services.AddHttpClient<StarfaceWebApiService>(client => { client.BaseAddress = new Uri("http://srv-pbx/rest/"); }) .AddHttpMessageHandler<StarfaceAuthTokenHandler>();builder.Services.AddScoped<StarfaceAuthTokenHandler>();builder.Services.AddHttpContextAccessor();builder.Services.AddKeyTechServices();builder.Services.AddStarfaceServices();builder.Services.AddTransient<ActiveDirectoryService>();builder.Services.AddTransient<ThumbnailService>();builder.Services.AddTransient<EmailService>();var app = builder.Build();// Configure the HTTP request pipeline.if (!app.Environment.IsDevelopment()){ app.UseExceptionHandler("/Error", true); // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts. app.UseHsts();}// Reihenfolge ist wichtig!// app.UseHttpsRedirection();app.UseStaticFiles();// app.UseAuthentication(); // Fügen Sie dies hinzu// app.UseAuthorization();app.UseAntiforgery();app.MapRazorComponents<App>() .AddInteractiveServerRenderMode();app.Run();This works fine on my desktop, but I can't get it running inside the Docker container.
Inside the container, the kerberos authorization with
kinit -kt /etc/krb5.keytab HTTP/brit.ad.brueck.net@AD.BRUECK.NETand
klistworks, so I think this is not the issue.
Does anyone have a solution for this?