Learn how to integrate your Windows Diego Cells with an existing Active Directory domain to enable support for apps using Windows Authentication. With Windows Authentication, you can access a Windows app on TAS for VMs [Windows] to transparently authenticate using your domain credentials.

Security considerations

Do not use HTTP routing via the GoRouter for apps that use Windows Authentication. Windows Authentication sessions are cached by source IP and port. The GoRouter maintains TCP connections to app containers and re-uses them for subsequent inbound HTTP requests. This implies that a given GoRouter uses the same port to talk to an app for multiple users. User authentication sessions end up being shared among multiple users making HTTP requests to the Windows Authentication app, which is a serious security hazard.

To avoid this risk, use TCP routing. The TCP router does not maintain connections to app containers in the same fashion as the GoRouter does, so user authentication sessions are not shared among multiple users. To enable TCP routing, see Configure Networking for the TAS for VMs tile.

Apps using Windows Authentication should use the --no-route flag to cf push, or specify a routes stanza in the app manifest with only a TCP route.

Apps using Windows Authentication can use the --no-route flag for the cf push command, or specify a routes stanza in the app manifest with only a TCP route. The --no-route flag no longer unbinds all existing routes associated with the app.

Prerequisites

Before you configure the TAS for VMs [Windows] tile for Windows Authentication, ensure that you meet the following requirements:

  • Your Active Directory instance must be configured with a GMSA and a regular user that has been granted access to the GMSA credentials. See the Microsoft docs for specifics.
  • Your Windows Diego cells must have the appropriate firewall rules to access the Active Directory instance.
  • Application Security Groups must be configured to allow traffic from app containers to the Active Directory instance.
  • TCP Routing must be enabled and configured.

Caution Using Windows Authentication through the GoRouter is strongly discouraged because it will result in authentication sessions for one user being returned to a different user. Apps using Windows Authentication should only be accessed via TCP routes.

  • The The Gorouter and apps use mutual TLS to verify each other’s identity setting described in Advanced Features must not be selected, as this deactivates TCP routing.
  • Depending on your IaaS, you might need to configure BOSH DNS handlers so that your application containers can resolve domain resources through the Active Directory instance. See the VMware Tanzu Operations Manager Documentation for IaaS-specific instructions.
  • Apps intending to use Windows Authentication must use the HWC buildpack.

Important VMware strongly recommends using an isolation segment for Windows Authentication because all apps in the TAS for VMs [Windows] installation will have access to the GMSA credentials. To associate a TAS for VMs [Windows] tile with an isolation segment so that its Diego Cells run in that segment, see Windows Diego Cells in Isolation Segments.

Limitations

  • Authenticating via the cf cli with Windows Authentication is not supported.
  • Every app in the TAS for VMs [Windows] installation will have access to the GMSA credentials. There is no way to configure it on an app-by-app basis.
  • Windows Authentication delegation from app to service is not supported.

Configuring the tile

Start by following the steps in the Microsoft docs to create the appropriate values, then select Windows Authentication and follow this procedure:

  1. Under Windows Authentication, select Configure.
  2. In the For security reasons, apps using Windows Authentication must use TCP routing., field, enter X to acknowledge this requirement. See Security considerations for the details.
  3. In the Active Directory FQDN field, enter the domain of the Active Directory instance that app containers use for authentication.
  4. In the Standard user name field, enter the name of the user account with access to the gMSA password. This is a user account.
  5. In the Standard user password field, enter the password of the user account with access to the gMSA password. This is a user account.
  6. In the Container credential spec field, enter a JSON string that describes the gMSA account and domain details. For more information on Windows Authentication, see Microsoft docs.
  7. Click Save.
  8. Deploying the tile.

Rotating the standard user

Follow the steps in the Microsoft docs, but do not create a new service account or security group.

  1. Create a new user account.
  2. Add the user to the security group that guards access to the GMSA service account.
  3. Update the Standard user name and Standard user password fields with the new user information.
  4. Click Save.
  5. Deploying the tile.

Troubleshooting

For troubleshooting details, see Troubleshooting Windows authentication.

check-circle-line exclamation-circle-line close-line
Scroll to top icon