Learn how to integrate your Windows Diego Cells with an existing Active Directory domain to enable support for apps using Windows Authentication. With Windows Authentication, you can access a Windows app on TAS for VMs [Windows] to transparently authenticate using your domain credentials.

Security considerations

Do not use HTTP routing through the Gorouter for apps that use Windows Authentication. Windows Authentication sessions are cached by source IP and port. The Gorouter maintains TCP connections to application containers and reuses them for subsequent inbound HTTP requests. This implies that a given Gorouter uses the same port to talk to an app for multiple users. User authentication sessions are shared among multiple users making HTTP requests to the Windows Authentication app, which is a serious security issue.

To avoid this risk, use TCP routing. The TCP router does not maintain connections to application containers in the same way, the Gorouter does, because user authentication sessions are not shared among multiple users.

To activate TCP routing, see Configure networking for the TAS for VMs tile.

Apps using Windows Authentication can use the --no-route flag for the cf push command, or specify a routes section in the app manifest with only a TCP route. The --no-route flag no longer unbinds all existing routes associated with the app.

Prerequisites

Before you configure the TAS for VMs [Windows] tile for Windows Authentication, you must meet the following requirements:

• Your Active Directory instance must be configured with a GMSA and a regular user that has been granted access to the GMSA credentials. See the Microsoft documentation for specifics.
• Your Windows Diego Cells must have the appropriate firewall rules to access the Active Directory instance.
• Application Security Groups must be configured to allow traffic from application containers to the Active Directory instance.
• TCP routing must be enabled and configured.

Caution Using Windows Authentication through Gorouter is discouraged because it causes authentication sessions for one user being returned to a different user. Apps using Windows Authentication must only be accessed through TCP routes.

• The The Gorouter and apps use mutual TLS to verify each other’s identity setting described in Advanced Features must not be selected, as this deactivates TCP routing.
• Depending on your IaaS, you might need to configure BOSH DNS handlers so that your application containers can resolve domain resources through the Active Directory instance. See the VMware Tanzu Operations Manager Documentation for IaaS-specific instructions.
• Apps intending to use Windows Authentication must use the HWC buildpack.

Note Use an isolation segment for Windows Authentication, because all apps in the TAS for VMs [Windows] installation have access to GMSA credentials. To associate a TAS for VMs [Windows] tile with an isolation segment so that its Diego Cells run in that segment, see Windows Diego Cells in isolation segments.

Limitations

• Authenticating through the cf CLI with Windows Authentication is not supported.
• Every app in the TAS for VMs [Windows] installation has access to GMSA credentials. There is no way to configure it on an app-by-app basis.
• Windows Authentication delegation from app to service is not supported.

Configuring the tile

Start the configuration by following the steps in the Microsoft documentation to create the appropriate values, then select Windows Authentication and use this procedure:

1. Under Windows Authentication, select Configure.
2. In the For security reasons, apps using Windows Authentication must use TCP routing text box, enter X to acknowledge this requirement. See Security considerations for the details.
3. In Active Directory FQDN, enter the domain of the Active Directory instance that application containers use for authentication.
4. In Standard user name, enter the name of the user account with access to the gMSA password. This is a user account.
5. In Standard user password, enter the password of the user account with access to the gMSA password. This is a user account.
6. In Container credential spec, enter a JSON string that describes the gMSA account and domain details. For more information about Windows Authentication, see Microsoft documentation.
7. Click Save.
8. Deploying the tile.

Rotating the standard user

Follow the steps in the Microsoft documentation, but do not create a new service account or security group.

1. Create a new user account.
2. Add the user to the security group that guards access to the GMSA service account.
3. Update the Standard user name and Standard user password text boxes with the new user information.
4. Click Save.
5. Deploying the tile.

Troubleshooting

For troubleshooting details, see Troubleshooting Windows authentication.