• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Ron McLeod
  • Rob Spoor
  • Tim Cooke
  • Junilu Lacar
  • Henry Wong
  • Liutauras Vilda
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Tim Holloway
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
  • Al Hobbs
  • Mikalai Zaikin
  • Piet Souris

gMsa and hyper-v isolation using Windows Server 2016 containers and Windows Server 2019 host

Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Hi everyone,

We are dealing with incompatibilities running our applications with gMsa in Windows Server 2016 containers using docker. We are using Windows Server 2019 as the host and hyper-v isolation.

Host: Windows Server 2019 10.0.17763
Container: Windows 2016 10.0.14393 (build 1607)

dockerfile with the following base images

FROM mcr.microsoft.com/dotnet/framework/runtime:4.6.2-windowsservercore-ltsc2016
FROM mcr.microsoft.com/windows/servercore:ltsc2016


version: '3.9'
image: ""
hostname: "CFMgMsa"
isolation: "hyperv"
command: ping -t localhost
dns_search: pj16.loc
- credentialspec=file://pj16_cfmgmsa.json

driver: l2bridge
com.docker.network.windowsshim.interface: IPC
- subnet:

According to Microsoft, it is possible to run Windows Server 2016 containers in Windows Server 2019 host as long as hyper-v isolation is used. We can verify the container Is running because it can be built and deployed with docker-compose.

But when trying to run the application, it simply does not run.

We went to do the gMsa troubleshoot tests using the only official Microsoft document that we could find, that has already 2 years old (https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/gmsa-troubleshooting Troubleshoot gMSAs for Windows containers | Microsoft Docs), with the following results

1. Tests in the host
a. Test-ADServiceAccount <our app>
i. True
b. Firewall rules configured for correct traffic support
2. Tests in the container (gMsa related)

nltest /sc_verify:pj16.loc and klist get krbtgt always fail in this scenario (where the application has gMsa, and hyper-v is used)

The only scenarios where the application works correctly is when hyper-v is not used, but on that scenarios the host and the container OS must match, meaning Windows Server 2019 host with Windows Server 2019 container or Windows Server 2016 host with Windows Server 2016 container.

We found on the internet this page GitHub - plooploops/windows-containers-AD: Working with AD and Windows Containers where it looks a team is tried to do the same but with the same result.

In our scenario we are using Windows Server 2016 10.0.14393 build 1607 that is even older than 1803. We do not know as well the corresponding server for 1709 build.

The question is: Is there any build combination between Windows Server 2019 host and Windows Server 2016 container for gMsa and hyper-v run correctly, or it is really incompatible, and the only solution for this specific scenario is to match the OS and container version?

[Thumbnail for containerRunning.jpg]
[Thumbnail for hostcontainercompatibility.jpg]
[Thumbnail for nltest.jpg]
Posts: 73984
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to the Ranch

Rather than writing <a href=...> tags, please use the URL button above the edit window. That will make your link come out as:- Troubleshoot gMSAs for Windows containers | Microsoft Docs)
Afraid the only clouds I know anything about are cumulus, numbus, cirrus and stratus.
This tiny ad is suggesting that maybe she should go play in traffic.
Thread Boost feature
    Bookmark Topic Watch Topic
  • New Topic