Windows authentication on Traefik 2.0

I have a windows docker container with iis and windows authentication on https in a docker swarm
The container is verified to work with windows authentication by a host port mapping.
We would like to use Traefik so we don't need to map a port to the host.
In Traefik 1.x this was not possible due to the missing of tcp routing.
We think it should be possible to do with Traefik 2.0
Does anyone have a docker label example which works with windows authentication?

Kind regards,
Marc

1 Like

Can you elaborate what is "windows authentication" please? Is it a backend service to be served through Traefik? Or is it an external authentication system to be used by Traefik for incoming requests to your other webapps?

Any help with a current config and a diagram could help us to give you the right label :slight_smile:

In Windows world "Windows Authentication" has quite established unambigous meaning:

@dduportal @zespri thanks for your quick response.

Traefik should not handle the authentication.
The container will handle the authentication but the requests should go through Traefik and be forwarded to the container. As far as I know this uses also a tcp connection and this was the reason it could not work with Traefik 1.x
I use these labels now but they don't work:

    - "traefik.enable=true"
    - "traefik.http.routers.test-router.rule=Host(`www.test.com`)"
    - "traefik.http.routers.test-router.service=test-service"
    - "traefik.http.routers.test-router.entrypoints=https"
    - "traefik.http.routers.test-router.tls=true"
    - "traefik.http.services.test-service.loadbalancer.server.port=443"
    - "traefik.http.services.test-service.loadbalancer.sticky=true"
    - "traefik.tcp.routers.test-router.rule=HostSNI(`www.test.com`)"
    - "traefik.tcp.routers.test-router.tls=true"
    - "traefik.tcp.services.test-service.loadbalancer.server.port=443" 

If you need more info I can provide that but it will take some time to make a diagram

Thanks for the explanation @marcgerritsen!

Based on your feedback, they are other question raised in order to help you top get to the right configuration. The labels you used are a good starting point, but the high level need has to be clarified even more:

Can you confirm that:

  • What you refers as "Windows Authentication" is an application using HTTP protocol (with or without TLS)?
  • I see that the "backend" container for "Windows Authentication" only listens on its port 443. Should HTTP request goes though this port on the backend as well?
  • Do you want TLS to be terminated by Traefik or by the backend system?

The container generates a self signed certificate so Traefik connects with it through https.
In the global config we configured insecureSkipVerify=true so this works. Ideally we would install our root certificate in Traefik to verify the connection but we could not get that working in 1.x
Traefik is terminated with our public wildcard certificate. So Traefik receives https traffic and sends https traffic over different connections with different certificates.
Hope this answers your questions @dduportal.

Update:
It works if install my wildcard certificate in the container and add

        - "traefik.tcp.routers.test-service.tls.passthrough=true"

I see other problems accessing other https docker containers without windows authentication so I should fix this first. This was working for us in Traefik 1.x but probably I made a mistake or Traefik does not honor

[serversTransport]
  insecureSkipVerify = true

Traefik responds Bad request. I'll try to fix this first which maybe also fixes the original problem.

Update 2
The Bad Gateway error came from connecting by http instead of https so adding

        - "traefik.http.services.test-service.loadbalancer.server.scheme=https"

Fixed that problem. Unfortunately the original problem is not yet solved

Hi @marcgerritsen, I am sorry but I don't understand the problem. Would you have a diagram explaining the topology to help us understand what you're trying to achieve please?

I can confirm that Windows Integrated authentication works successfully with Traefik 2.0 using TCP routers with successful logins proven on Windows/Mac using Safari/Chrome/IE.

Note that when testing it is important to ensure you have cleared cookie caches or you can get unpredictable results due to prior login attempts on non-working configurations you may have attempted.

In our configuration we have a mixed-OS docker Swarm (Linux/Windows) with Traefik operating on Linux and sending requests straight to back-end Windows-containers running on Windows swarm nodes.

If you have configured your Windows app and containers correctly I can confirm that from:

  • A domain-joined machine you will get straight through login to Windows back-end containers using the domain-joined machine's Kerberos credentials
  • A non-domain-joined machine connection will downgrade to Windows NTLM authentication and prompt for Windows authentication credentials.

From a Traefik configuration perspective our docker containers have labels like this:

        - "traefik.tcp.routers.dotnet-tcpexample.entrypoints=websecure"
        - "traefik.tcp.routers.dotnet-tcpexample.tls=true"
        - "traefik.tcp.routers.dotnet-tcpexample.tls.options=default"
        - "traefik.tcp.routers.dotnet-tcpexample.rule=HostSNI(`windows.foo.bar`)"
        - "traefik.tcp.routers.dotnet-tcpexample.tls.passthrough=true"
        - "traefik.tcp.routers.dotnet-tcpexample.service=dotnet-tcpexample"
        - "traefik.tcp.services.dotnet-tcpexample.loadbalancer.server.port=443"

Note that configuring containers for Windows integrated authentication in itself is non-trivial but documented here.

2 Likes

Hey @fifofonix, this is cool. Would you be able to write a short "User Guide" on Traefik's docs for this?

1 Like

@fifofonix can you verify your settings work with Windows Admin Center?
I'm trying to get that to work for me, and I keep getting an internal server error.
Here is my config...

# HTTPS Proxy for Windows Admin Center
http:
  routers:
    wac:
      rule: "Host(`wac.domain.tld`)"
      middlewares:
        - chain-private-oauth
      tls:
        certResolver: letsEncrypt
      service: wac
  services:
    wac:
      loadBalancer:
        servers:
          - url: "https://windows.domain.tld:6516/"
tcp:
  routers:
    wac-ntlm:
      rule: HostSNI(`wac.domain.tld`)
      entrypoints: web-secure
      tls:
        options: default
        passthrough: true
      service: wac-ntlm
  services:
    wac-ntlm:
      loadBalancer:
        servers:
          - address: "windows.domain.tld:6516"

I am also configuring Windows Admin Center to work through traefik
I get the login prompt after pressing enter I get "Internal Server Error"
It works fine if I directly use the IP address of the Windows Admin Center server.

Were you able to fix it?