Need help with Container Credential Guard service resolution of gMSA tickets for Windows Containers

[jterry75]

We are attempting to use domainless gMSA based on the public documentation provided from Microsoft here: https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview and here: https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts and plugin API here: https://learn.microsoft.com/en-us/windows/win32/api/ccgplugins/nn-ccgplugins-iccgdomainauthcredentials.

Note that we have all of this working for our common scenarios. However, we have an additional scenario where the network namespace of the container's needs to be isolated from the host for various security policy reasons.

The architecture looks like this:

1. Host has a Network Interface that is attached to an internal network.
2. Host has a Network Interface that is attached to private subnet that has access to the domain controller.
3. We create a Transparent network namespace and attach the Network Interface of the private subnet to it.
4. We disable the Network Interface in the host compartment. This now fully isolates all container traffic from the host. The host cannot send traffic into the private subnet, and the container has no access to the host network.
5. We then attempt to use domainless gMSA and find that the CCG service cannot resolve the domain.

It appears that CCG uses the DNS resolution of the primary network interface in the host compartment. This means that the primary network adapter of the instance must be on the same network as the domain controller. How can we configure CCG to resolve the kerberos ticket using the DNS of the container network instead of the primary nic?

Thanks!

[fady-azmy-msft]

I'm not sure what the right answer is to your question, but I've reached out to the team that owns CCG if they can comment here.

[vrapolinario]

Hi @jterry75 long time... Have you tried to change the network priority instead on this host? I'm assuming the network interface you don't want to use has a higher priority and is not the right DNS resolution, but not sure...

[arun-annamalai]

We would like to keep the network priority of the primary network interface as the highest. Is there another way to configure CCG.exe so that the binary runs in the network interface in step 2?

[microsoft-github-policy-service]

This issue has been open for 30 days with no updates.
no assignees, please provide an update or close this issue.

[vrapolinario]

At this time configuring the network adapter for CCG is not supported. CCG will use the host's network which must have line of sight to the DC.