Login/Register
Enable Remote Desktop on Windows 10 Container
Asked Answered
Solved dockerwindows-10containersremote-desktopterminal-services
A

3

7

I'm trying to enable remote desktop on a container image.

Dockerfile

FROM mcr.microsoft.com/windows:2004

EXPOSE 3389

RUN net user administrator Stack0verflow
RUN net user administrator /active:yes

# I tried disabling the firewall; but this command errors as Windows Defender Firewall service 
# is not enabled; so presumably if the firewall's not running, it's not a firewall issue.
#RUN netsh advfirewall set allprofiles state off

# switch shell to powershell (note: pwsh not available on the image)
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue'; $ExecutionPolicy = 'Unrestricted';"]

# enable RDP (value is 1 on the base image)
RUN Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -Type 'DWord' -Value 0
# per https://www.withinrafael.com/2018/03/09/using-remote-desktop-services-in-containers/
RUN Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'TemporaryALiC' -Type 'DWord' -Value 1

Note: Since it's a Windows image, I've switched Docker Desktop to Windows Containers (ref: Docker: "no matching manifest for windows/amd64 in the manifest list entries")

I then build this image via: docker build -t win10poc .

... And run it via: docker run --expose 3389 --publish 3390:3389 -it win10poc

The container runs successfully; but I can't connect to it (using mstsc with computer name 127.0.0.1:3390 on the host device; or even doing a Test-NetConnection -ComputerName 127.0.0.1 -Port 3390).

I've also tried running powershell -command "Test-NetConnection -ComputerName 'localhost' -Port 3389" from the container's command prompt; but this also returns a failure; suggesting that the service is not listening on this port.

Note: Running net start TermService on the container returns The requested service has already been started; so it should be listening.

My host device is running Windows 10.0.19041.264.

Note: I've seen a similar question for Windows Server; though asked again as that's for Server rather than Desktop, the question has less info on what's been tried, and there are no answers. As such, I'm hoping this doesn't count as a duplicate.

Arbitral answered 11/2, 2021 at 11:29 Comment(0)
D
9

The reference you used to build your Dockerfile states that after 1709_KB4074588 RDP cannot be made to work anymore. Pulling today that tag does not work either: you get a response from the server but can't execute anything. I have no idea how the windows and servercore images differ in general and in terms of RDP, and on top of that I'm by no means a windows expert. My experience so far (using xfreerdp as client):

  • windows/servercore:1607 cexecsvc running, port 3389 not listening
  • windows/servercore:1709 can connect to RDP but executing an app results in ERRINFO_LOGOFF_BY_USER
  • windows/servercore:1709_KB4074588 behaves same as 1709

Research shows also that you need to disable remote execution whitelist (don't know the correct name).

  • reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fAllowUnlistedRemotePrograms /t REG_DWORD /d 1
  • reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\TSAppAllowList" /v fDisabledAllowList /t REG_DWORD /f /d 1

After reading a brief about sessions, desktops and stations I wrote a quick test enumerating sessions (see LsaEnumerateLogonSessions and LsaGetLogonSessionData) and saw that while a normal RDP session shows many (why? no idea) sessions for the same user and a few of them are interactive (10 - CachedInteractive in my case) a console in a Docker instance shows a single session for the ContainerAdministrator user of type 5 (Proxy - not supported), so as I understand it there's no way to get an interactive desktop from this session.

Dialectology answered 28/5, 2021 at 7:58 Comment(0)
G
4

it seems Windows Containers doesn't support GUI applications and there are no plans to add it in the future.

References:

Greegree answered 21/1, 2023 at 15:50 Comment(2)
So very Windows to make a 3.5GB container with no GUIRidglea
Yep, this is really sad. This would be a nice feature.Kurland
W
0

I did not check if that works, but

Remote Management of a Windows Docker Host https://learn.microsoft.com/en-us/virtualization/windowscontainers/management/manage_remotehost

better check from the link what to execute, there is something like that

New-NetFirewallRule -DisplayName 'Docker SSL Inbound' -Profile @('Domain', 'Public', 'Private') -Direction Inbound -Action Allow -Protocol TCP -LocalPort 2376

docker -D -H tcp://wsdockerhost.southcentralus.cloudapp.azure.com:2376 --tlsverify --tlscacert=c:\
users\foo\.docker\client\ca.pem --tlscert=c:\users\foo\.docker\client\cert.pem --tlskey=c:\users\foo\.doc
ker\client\key.pem ps
Ways answered 16/3, 2023 at 15:18 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.