Allow Windows Containers to run using gMSA accounts
We wanted to lift and shift a legacy Web App into Azure. An app service based web app fitted the bill perfectly, except no static storage is available.
• Normal Azure Web Apps do not have access to static storage, only container web apps do.
• Container apps cannot natively use Windows Authentication since they are not domain joined machines.
• Windows Containers can be run using a gMSA account to allow NTLM to work on a normal host.
• Per Azure support, gMSA in App Services is not supported
This means that there is currently no way to implement an NTLM authenticated site with static storage as an Azure Web App.
There is already a suggestion to allow storage access for regular WebApps, however there are advantages to using Containers that greatly simplifies lifting and shifting of legacy applications.
Thus, I suggest allowing gSMA accounts to be used to run Windows Containers in App Services.