CCG plugin notes

Author: macsux

sample/KerberosDemo/Dockerfile

@@ -0,0 +1,18 @@
+# syntax=docker/dockerfile:1
+FROM mcr.microsoft.com/dotnet/sdk:5.0 AS build-env
+WORKDIR /app
+
+# Copy csproj and restore as distinct layers
+COPY *.csproj ./
+RUN dotnet restore
+
+# Copy everything else and build
+COPY ./ ./
+RUN dotnet publish -c Release -o out
+
+# Build runtime image
+FROM mcr.microsoft.com/dotnet/aspnet:5.0
+WORKDIR /app
+COPY --from=build-env /app/out .
+USER "NT AUTHORITY\NETWORK SERVICE"
+ENTRYPOINT ["dotnet", "KerberosDemo.dll"]

sample/KerberosDemo/Startup.cs

@@ -29,21 +29,30 @@ public Startup(IConfiguration configuration)
         // This method gets called by the runtime. Use this method to add services to the container.
         public void ConfigureServices(IServiceCollection services)
         {
-            var serviceAccount = Environment.GetEnvironmentVariable("KRB_SERVICE_ACCOUNT")!;
-            var password = Environment.GetEnvironmentVariable("KRB_PASSWORD")!;
-            var kdcStr = Environment.GetEnvironmentVariable("KRB5_KDC");
-            var domain = serviceAccount.Split("@").Last();
-            var ldapAddress = kdcStr != null ? kdcStr.Split(";").First() : domain;
+            // var serviceAccount = Environment.GetEnvironmentVariable("KRB_SERVICE_ACCOUNT");
+            // if (services == null)
+            // {
+            //     throw new Exception("KRB_SERVICE_ACCOUNT must be set");
+            // }
+            // var password = Environment.GetEnvironmentVariable("KRB_PASSWORD")!;
+            // if (password == null)
+            // {
+            //     throw new Exception("KRB_PASSWORD must be set");
+            // }
+            // var kdcStr = Environment.GetEnvironmentVariable("KRB5_KDC");
+            // var domain = serviceAccount.Split("@").Last();
+            // var ldapAddress = kdcStr != null ? kdcStr.Split(";").First() : domain;
             services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
-                .AddNegotiate(c => c
-                    .EnableLdap(ldap =>
-                    {
-                        ldap.LdapConnection = new LdapConnection(new LdapDirectoryIdentifier(ldapAddress, true, false), new NetworkCredential(serviceAccount, password), AuthType.Basic);
-                        ldap.Domain = domain;
-                        ldap.LdapConnection.SessionOptions.ReferralChasing = ReferralChasingOptions.None;
-                        ldap.LdapConnection.SessionOptions.ProtocolVersion = 3; //Setting LDAP Protocol to latest version
-                        ldap.LdapConnection.AutoBind = true;
-                    }));
+                .AddNegotiate();
+                // .AddNegotiate(c => c
+                //     .EnableLdap(ldap =>
+                //     {
+                //         ldap.LdapConnection = new LdapConnection(new LdapDirectoryIdentifier(ldapAddress, true, false), new NetworkCredential(serviceAccount, password), AuthType.Basic);
+                //         ldap.Domain = domain;
+                //         ldap.LdapConnection.SessionOptions.ReferralChasing = ReferralChasingOptions.None;
+                //         ldap.LdapConnection.SessionOptions.ProtocolVersion = 3; //Setting LDAP Protocol to latest version
+                //         ldap.LdapConnection.AutoBind = true;
+                //     }));
             services.AddControllers();
             services.AddSwaggerGen(c =>
             {

sample/KerberosDemo/appsettings.json

@@ -1,8 +1,8 @@
 {
   "Logging": {
     "LogLevel": {
-      "Default": "Information",
-      "Microsoft": "Warning",
+      "Default": "Debug",
+      "Microsoft": "Debug",
       "Microsoft.Hosting.Lifetime": "Information"
     }
   },

src/CcgPlugin/CcgCredProvider.cs

@@ -0,0 +1,45 @@
+using System;
+using System.IO;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+namespace CcgPlugin
+{
+
+    [Guid("6ECDA518-2010-4437-8BC3-46E752B7B172")]
+    [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
+    [ComImport]
+    public interface ICcgDomainAuthCredentials
+    {
+        [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime)]
+        void GetPasswordCredentials(
+            [MarshalAs(UnmanagedType.LPWStr), In] string pluginInput,
+            [MarshalAs(UnmanagedType.LPWStr)] out string domainName,
+            [MarshalAs(UnmanagedType.LPWStr)] out string username,
+            [MarshalAs(UnmanagedType.LPWStr)] out string password);
+    }
+    
+    // [Guid("defff03c-3245-465f-8391-cc586a2d1f31")]
+    [Guid("defff03c-3245-465f-8391-cc586a2d1f32")]
+    [ClassInterface(ClassInterfaceType.None)]
+    [ProgId("CcgCredProvider")]
+    public class CcgCredProvider : ICcgDomainAuthCredentials
+    {
+        public CcgCredProvider()
+        {
+            File.WriteAllText(@"c:\temp\ccglog2.txt", "test");
+        }
+        public void GetPasswordCredentials(
+            [MarshalAs(UnmanagedType.LPWStr), In] string pluginInput,
+            [MarshalAs(UnmanagedType.LPWStr)] out string domainName,
+            [MarshalAs(UnmanagedType.LPWStr)] out string username,
+            [MarshalAs(UnmanagedType.LPWStr)] out string password)
+        {
+            File.WriteAllText(@"c:\temp\ccglog.txt", pluginInput);
+            domainName = "mydomain.com";
+            username = "myser";
+            password = "mypassword";
+        }
+        
+    }
+}

src/CcgPlugin/CcgPlugin.csproj

@@ -15,7 +15,7 @@
     <AssemblyOriginatorKeyFile>CcgPlugin.snk</AssemblyOriginatorKeyFile>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
-    <PlatformTarget>AnyCPU</PlatformTarget>
+    <PlatformTarget>x64</PlatformTarget>
     <DebugSymbols>true</DebugSymbols>
     <DebugType>full</DebugType>
     <Optimize>false</Optimize>
@@ -38,12 +38,15 @@
     <Reference Include="System.Core" />
   </ItemGroup>
   <ItemGroup>
-    <Compile Include="Class1.cs" />
+    <Compile Include="CcgCredProvider.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
   </ItemGroup>
   <ItemGroup>
     <None Include="CcgPlugin.snk" />
   </ItemGroup>
+  <ItemGroup>
+    <Content Include="ccg.json" />
+  </ItemGroup>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
   <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
        Other similar extension points exist, see Microsoft.Common.targets.
@@ -52,5 +55,4 @@
   <Target Name="AfterBuild">
   </Target>
   -->
-
-</Project>
+</Project>

src/CcgPlugin/Class1.cs

@@ -0,0 +1,73 @@
+```
+bin\Debug> tlbexp CcgPlugin.dll
+regasm CcgPlugin.dll /tlb:CcgPlugin.tlb
+az aks update -g myResourceGroup -n myAKSCluster --windows-admin-password $WINDOWS_ADMIN_PASSWORD
+```
+
+
+
+```
+MANAGED_ID=$(az aks show -g playaks2 -n MyAKS --query "identityProfile.kubeletidentity.objectId" -o tsv)
+az keyvault secret set --vault-name macsux-vault --name "GMSADomainUserCred" --value "ALMIREX\\gmsa1:P@ssw0rd"
+
+```
+
+
+
+
+
+Azure Plugin registrations
+
+```
+PS C:\ProgramData\docker\credentialspecs> reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CCG\COMClasses" /s
+
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CCG\COMClasses\{CCC2A336-D7F3-4818-A213-272B7924213E}
+    (Default)    REG_SZ
+
+reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC2A336-D7F3-4818-A213-272B7924213E}" /s
+
+reg query "HKEY_CLASSES_ROOT" /f "CCC2A336-D7F3-4818-A213-272B7924213E" /s 
+
+reg query HKEY_LOCAL_MACHINE\SOFTWARE /f "{CCC2A336-D7F3-4818-A213-272B7924213E}" /s
+
+HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC2A336-D7F3-4818-A213-272B7924213E}
+    AppID    REG_SZ    {557110E1-88BC-4583-8281-6AAC6F708584}
+    
+reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{557110E1-88BC-4583-8281-6AAC6F708584}" 1.reg
+reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\AppID\{557110E1-88BC-4583-8281-6AAC6F708584}" 2.reg
+reg export "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\AppID\{557110E1-88BC-4583-8281-6AAC6F708584}" 3.reg
+
+
+HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC2A336-D7F3-4818-A213-272B7924213E}\InprocServer32
+    (Default)    REG_SZ    C:\Windows\System32\CCGAKVPlugin.dll
+    ThreadingModel    REG_SZ    Both
+```
+
+```
+kubectl exec -it node-debugger-aks-nodepool1-39078785-vmss000000-669sp -- /bin/bash
+ssh -l macsux 10.240.0.97 
+```
+
+```powershell
+docker run --security-opt "credentialspec=file://vault.json" --hostname webapp01 -it mcr.microsoft.com/windows/servercore:ltsc2019 powershell
+
+docker run --security-opt "credentialspec=file://ccg.json" --hostname almirex.dc -it kerberos-demo
+
+docker run --security-opt "credentialspec=file://ccg.json" --hostname webapp01 -it mcr.microsoft.com/windows/servercore:ltsc2019 powershell
+
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe CcgPlugin.dll /codebase /tlb
+```
+
+
+
+1. TBS
+
+2. Observability
+
+3. Accelerator
+
+   
+
+4. App Catalog
+
+5. Introduction to TAP

src/CcgPlugin/NOTES.md

@@ -4,11 +4,11 @@
 // General Information about an assembly is controlled through the following 
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
-[assembly: AssemblyTitle("CcgPlugin")]
+[assembly: AssemblyTitle("CcgPlugin2")]
 [assembly: AssemblyDescription("")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]
-[assembly: AssemblyProduct("CcgPlugin")]
+[assembly: AssemblyProduct("CcgPlugin2")]
 [assembly: AssemblyCopyright("Copyright ©  2021")]
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
@@ -19,7 +19,7 @@
 [assembly: ComVisible(true)]
 
 // The following GUID is for the ID of the typelib if this project is exposed to COM
-[assembly: Guid("8A8F0F10-04A9-4726-9592-22ED3797761B")]
+[assembly: Guid("8A8F0F10-04A9-4726-9592-22ED3797761C")]
 
 // Version information for an assembly consists of the following four values:
 //

src/CcgPlugin/Properties/AssemblyInfo.cs

@@ -1,7 +1,107 @@
+# Experiments to get gMSA Container Credentials Manager working. 
+
+### Goal: 
+
+Implement a C# plugin that is invoked by CCM to provide credentials for container launch on non-domain joined machine. The process is documented in the following articles:
+
+https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts
+
+https://docs.microsoft.com/en-us/windows/win32/api/ccgplugins/nf-ccgplugins-iccgdomainauthcredentials-getpasswordcredentials
+
+### Current problem: 
+
+Cannot get CCM to activate COM component
+
+### What has been tried:
+
+1. Implemented COM interface as C# project
+
+2. Compile in x64 mode (Debug config)
+
+3. Register to COM from `bin\Debug` folder via `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe CcgPlugin.dll /tlb /codebase`
+
+4. Add COM registration to CCG
+
+   ```
+   Windows Registry Editor Version 5.00
+   
+   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\CCG\COMClasses\{DEFFF03C-3245-465F-8391-CC586A2D1F32}]
+   ```
+
+   
+
+5. Place `ccg.json` into `C:\ProgramData\Docker\credentialspecs`
+
+6. Try to start container with `docker run --security-opt "credentialspec=file://ccg.json" --hostname webapp01 -it mcr.microsoft.com/windows/servercore:ltsc2019 powershell`
+
+### Expected result:
+
+1. Some kinda logs created in `c:\temp` (first on component activation, and method invocation)
+
+### Actual result:
+
+1. No logs in `c:\temp`
+
+## Additional info
+
+### Validate COM registration
+
+COM registration seems to be successful, as it can be activated like this:
+
+```c#
+ var otherType = Type.GetTypeFromCLSID(new Guid("DEFFF03C-3245-465F-8391-CC586A2D1F32"));
+var otherInstance = Activator.CreateInstance(otherType).Dump();
+object[] args = new object[] { "test","","","" };
+ParameterModifier pMod = new ParameterModifier(4);
+pMod[1] = true;
+pMod[2] = true;
+pMod[3] = true;
+ParameterModifier[] mods = { pMod };
+
+otherType.InvokeMember("GetPasswordCredentials", BindingFlags.InvokeMethod | BindingFlags.NonPublic | BindingFlags.Public , null, otherInstance, args, mods, null, null);
+
 ```
-bin\Debug> tlbexp CcgPlugin.dll
-regasm CcgPlugin.dll /tlb:CcgPlugin.tlb
-```
 
+### Confirm correct COM signature
+
+1. Windows SDK installed to get original `IDL` for `ccgplugins`. Necessary files are in `C:\Program Files (x86)\Windows Kits\10\Include\10.0.20348.0\um`
+
+2. IDL converted to `TLB` as following:
+
+   ```
+   midl ccgplugins-lib.idl /tlb ccgplugins.tlb
+   
+   ```
+
+3. `TLB` converted to `.NET` assembly DLL via `tlbimp ccgplugins.tlb /out:ccgplugins-net.dll`
+
+   ```
+   tlbimp ccgplugins.tlb /out:ccgplugins-net.dll
+   ```
+
+4. Reverse decompilation of the resulting DLL via Jetbrains DotPeek confirms that the correct signature for the interface as:
+
+   ```c#
+   namespace ccgplugins\u002Dnet
+   {
+     [Guid("6ECDA518-2010-4437-8BC3-46E752B7B172")]
+     [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
+     [ComImport]
+     public interface ICcgDomainAuthCredentials
+     {
+       [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime)]
+       void GetPasswordCredentials(
+         [MarshalAs(UnmanagedType.LPWStr), In] string pluginInput,
+         [MarshalAs(UnmanagedType.LPWStr)] out string domainName,
+         [MarshalAs(UnmanagedType.LPWStr)] out string username,
+         [MarshalAs(UnmanagedType.LPWStr)] out string password);
+     }
+   }
+   
+   ```
+
+   
 
+### AKS plugin
 
+It was confirmed that AKS plugin that implements the above interface does work and is able to be spun up and start container with GMSA creds as per this article. https://docs.microsoft.com/en-us/azure/aks/use-group-managed-service-accounts