I have a windows docker container with iis and windows authentication on https in a docker swarm
The container is verified to work with windows authentication by a host port mapping.
We would like to use Traefik so we don't need to map a port to the host.
In Traefik 1.x this was not possible due to the missing of tcp routing.
We think it should be possible to do with Traefik 2.0
Does anyone have a docker label example which works with windows authentication?
Kind regards,
Marc
Can you elaborate what is "windows authentication" please? Is it a backend service to be served through Traefik? Or is it an external authentication system to be used by Traefik for incoming requests to your other webapps?
Any help with a current config and a diagram could help us to give you the right label 
In Windows world "Windows Authentication" has quite established unambigous meaning:
@dduportal @zespri thanks for your quick response.
Traefik should not handle the authentication.
The container will handle the authentication but the requests should go through Traefik and be forwarded to the container. As far as I know this uses also a tcp connection and this was the reason it could not work with Traefik 1.x
I use these labels now but they don't work:
- "traefik.enable=true"
- "traefik.http.routers.test-router.rule=Host(`www.test.com`)"
- "traefik.http.routers.test-router.service=test-service"
- "traefik.http.routers.test-router.entrypoints=https"
- "traefik.http.routers.test-router.tls=true"
- "traefik.http.services.test-service.loadbalancer.server.port=443"
- "traefik.http.services.test-service.loadbalancer.sticky=true"
- "traefik.tcp.routers.test-router.rule=HostSNI(`www.test.com`)"
- "traefik.tcp.routers.test-router.tls=true"
- "traefik.tcp.services.test-service.loadbalancer.server.port=443"
If you need more info I can provide that but it will take some time to make a diagram
Thanks for the explanation @marcgerritsen!
Based on your feedback, they are other question raised in order to help you top get to the right configuration. The labels you used are a good starting point, but the high level need has to be clarified even more:
Can you confirm that:
The container generates a self signed certificate so Traefik connects with it through https.
In the global config we configured insecureSkipVerify=true so this works. Ideally we would install our root certificate in Traefik to verify the connection but we could not get that working in 1.x
Traefik is terminated with our public wildcard certificate. So Traefik receives https traffic and sends https traffic over different connections with different certificates.
Hope this answers your questions @dduportal.
Update:
It works if install my wildcard certificate in the container and add
- "traefik.tcp.routers.test-service.tls.passthrough=true"
I see other problems accessing other https docker containers without windows authentication so I should fix this first. This was working for us in Traefik 1.x but probably I made a mistake or Traefik does not honor
[serversTransport]
insecureSkipVerify = true
Traefik responds Bad request. I'll try to fix this first which maybe also fixes the original problem.
Update 2
The Bad Gateway error came from connecting by http instead of https so adding
- "traefik.http.services.test-service.loadbalancer.server.scheme=https"
Fixed that problem. Unfortunately the original problem is not yet solved
Hi @marcgerritsen, I am sorry but I don't understand the problem. Would you have a diagram explaining the topology to help us understand what you're trying to achieve please?
I can confirm that Windows Integrated authentication works successfully with Traefik 2.0 using TCP routers with successful logins proven on Windows/Mac using Safari/Chrome/IE.
Note that when testing it is important to ensure you have cleared cookie caches or you can get unpredictable results due to prior login attempts on non-working configurations you may have attempted.
In our configuration we have a mixed-OS docker Swarm (Linux/Windows) with Traefik operating on Linux and sending requests straight to back-end Windows-containers running on Windows swarm nodes.
If you have configured your Windows app and containers correctly I can confirm that from:
From a Traefik configuration perspective our docker containers have labels like this:
- "traefik.tcp.routers.dotnet-tcpexample.entrypoints=websecure"
- "traefik.tcp.routers.dotnet-tcpexample.tls=true"
- "traefik.tcp.routers.dotnet-tcpexample.tls.options=default"
- "traefik.tcp.routers.dotnet-tcpexample.rule=HostSNI(`windows.foo.bar`)"
- "traefik.tcp.routers.dotnet-tcpexample.tls.passthrough=true"
- "traefik.tcp.routers.dotnet-tcpexample.service=dotnet-tcpexample"
- "traefik.tcp.services.dotnet-tcpexample.loadbalancer.server.port=443"
Note that configuring containers for Windows integrated authentication in itself is non-trivial but documented here.
Hey @fifofonix, this is cool. Would you be able to write a short "User Guide" on Traefik's docs for this?
@fifofonix can you verify your settings work with Windows Admin Center?
I'm trying to get that to work for me, and I keep getting an internal server error.
Here is my config...
# HTTPS Proxy for Windows Admin Center
http:
routers:
wac:
rule: "Host(`wac.domain.tld`)"
middlewares:
- chain-private-oauth
tls:
certResolver: letsEncrypt
service: wac
services:
wac:
loadBalancer:
servers:
- url: "https://windows.domain.tld:6516/"
tcp:
routers:
wac-ntlm:
rule: HostSNI(`wac.domain.tld`)
entrypoints: web-secure
tls:
options: default
passthrough: true
service: wac-ntlm
services:
wac-ntlm:
loadBalancer:
servers:
- address: "windows.domain.tld:6516"
I am also configuring Windows Admin Center to work through traefik
I get the login prompt after pressing enter I get "Internal Server Error"
It works fine if I directly use the IP address of the Windows Admin Center server.
Were you able to fix it?
Was anyone able to get Windows Admin Center to work? I too am getting Internal Server Error after entering creds in the login prompt like the others mentioned.
Did you guys figure it out. I am having this same issue.
Same issue there, any updates ?
I'm trying to reverse proxy Windows Admin Center but I get the error:
'502 Bad Gateway' caused by: local error: tls: no renegotiation
Here is my config file:
http:
routers:
windows-admin-center:
entryPoints:
- "https"
rule: "Host(`wac.example.com`)"
service: windows-admin-center
middlewares:
- secureRedirect
- restrictToLocal
tls:
certResolver: infomaniak
options: default
domains:
- main: "*.example.com"
serversTransports:
wac-transport:
disableHTTP2: true
insecureSkipVerify: true
services:
windows-admin-center:
loadBalancer:
serversTransport: wac-transport
servers:
- url: "https://192.168.1.125:6516"
tcp:
routers:
windows-admin-center:
entryPoints:
- "https"
rule: "HostSNI(`wac.example.com`)"
service: windows-admin-center
middlewares:
- restrictToLocal
tls:
options: default
passthrough: true
services:
windows-admin-center:
loadBalancer:
servers:
- address: "192.168.1.125:6516"
Is "Windows Admin Center" a web GUI? Is that a TLS issue between browser and Traefik or between Traefik and target service?
It looks like you have a http and tcp router on the same entrypoint for the same domain, is that on purpose? And the TCP router is passing on TLS, which seems to be created by a certresolver, so with LetsEncrypt. The target will probably not have the same cert, therefore can not decrypt. What do you want to achieve?
Share your full Traefik static and dynamic config, and docker-compose.yml if used. You can check Traefik debug log and look at Traefik Dashboard for more info.
Well, my dynamic config is scattered across multiple files and I installed it from the binary.
And yes, Windows Admin Center is a web Gui. It's the Windows version of the Linux Cockpit.
You made me realize, that with a TCP router the HTTP one wasn't necessary, so I removed it, and now I get either a NET::ERR_CERT_COMMON_NAME_INVALID error from the browser with tls passthrough or a "connection reset by peer" error if I use my own certificate.
I would understand the first case because the cert's domains are: "Windows Admin Center", "", "localhost"
Here is the connection reset error:
level=debug msg="Error while handling TCP connection: read tcp 192.168.1.35:34700->192.168.1.125:6516: read: connection reset by peer"
My updated dynamic config is:
tcp:
routers:
windows-admin-center:
entryPoints:
- "https"
rule: "HostSNI(`wac.example.com`)"
service: windows-admin-center
middlewares:
- restrictToLocal
tls:
certResolver: infomaniak
options: default
domains:
- main: "*.example.com"
# passthrough: true
services:
windows-admin-center:
loadBalancer:
servers:
- address: "192.168.1.125:6516"
How do you define the certresolver?
What do you mean by “localhost” domain in cert? If you use LE you need a valid domain name. If you create your own cert you need to have it available in both Traefik and target service.
I need it too. Have you taken care of it?