Windows Docker runner doesn't have permissons to pull image from GitLab container registry

Summary

When I try to use an image from a Gitlab container registry in a job using the image field, I get the following error:

Access denied. If a password was provided for Git authentication, the password was incorrect or you're required to use a token instead of a password. If a token was provided, it was either incorrect, expired, or improperly scoped.

The project with the base image is internal and jobs from other projects must have access to it. I have the same workflow for Linux and it works perfectly.

Steps to reproduce

I have the following workflow CI/CD pipelines:

1. Build and push an base image to the Gitlab container registry by using Windows shell executor:

build_and_publish:
  stage: build
  script:
    - !reference [.docker_login, script]
    - docker build -t "${env:CI_REGISTRY_IMAGE}:${env:CI_COMMIT_REF_NAME}" .
    - docker push "${env:CI_REGISTRY_IMAGE}:${env:CI_COMMIT_REF_NAME}"

.docker_login:
  script:
    - docker --version
    - docker login -u $env:CI_REGISTRY_USER -p $env:CI_REGISTRY_PASSWORD $env:CI_REGISTRY

2. Pull the base image in jobs using Windows docker executor:

test_cpp:windows:
  stage: test_cpp
  image: registry.xxxx.net/org/pa/iiot/drift/devops/base_windows:main
  variables:
    TOOLCHAIN_FILE: ".\\build\\generators\\conan_toolchain.cmake"
  script:
    - !reference [ .init_build_env, script ]
    - !reference [ .build_and_test, script ]

Actual behavior

The image was not pulled due to the authorization error.

Expected behavior

The image registry.xxxx.net/org/pa/iiot/drift/devops/base_windows:main must be pulled without errors.

Relevant logs and/or screenshots

job log

Running with gitlab-runner 17.6.0 (374d34fd)
  on gitlab-windows-runner t2_NP8844, system ID: s_1376f0a87fd0
  feature flags: FF_NETWORK_PER_BUILD:true
Preparing the "docker-windows" executor
00:03
Using Docker executor with image registry.ferrumdigital.net/org/pa/iiot/drift/devops/base_windows:main ...
Authenticating with credentials from C:\Windows\system32\config\systemprofile\.docker\config.json
Pulling docker image registry.ferrumdigital.net/org/pa/iiot/drift/devops/base_windows:main ...
WARNING: Failed to pull image with policy "always": Error response from daemon: Head "https://registry.ferrumdigital.net/v2/org/pa/iiot/drift/devops/base_windows/manifests/main": unauthorized: HTTP Basic: Access denied. If a password was provided for Git authentication, the password was incorrect or you're required to use a token instead of a password. If a token was provided, it was either incorrect, expired, or improperly scoped. See https://git.ferrumdigital.net/help/user/profile/account/two_factor_authentication_troubleshooting.md#error-http-basic-access-denied-if-a-password-was-provided-for-git-authentication- (manager.go:251:0s)
ERROR: Job failed: failed to pull image "registry.ferrumdigital.net/org/pa/iiot/drift/devops/base_windows:main" with specified policies [always]: Error response from daemon: Head "https://registry.ferrumdigital.net/v2/org/pa/iiot/drift/devops/base_windows/manifests/main": unauthorized: HTTP Basic: Access denied. If a password was provided for Git authentication, the password was incorrect or you're required to use a token instead of a password. If a token was provided, it was either incorrect, expired, or improperly scoped. See https://git.ferrumdigital.net/help/user/profile/account/two_factor_authentication_troubleshooting.md#error-http-basic-access-denied-if-a-password-was-provided-for-git-authentication- (manager.go:251:0s)

Environment description

I use custom installation on Windows Server 2022.

config.toml contents

concurrent = 4
check_interval = 0
connection_max_age = "15m0s"
shutdown_timeout = 0

[session_server]
  session_timeout = 1800

[[runners]]
  name = "gitlab-windows-runner"
  url = "https://git.xxxx.net"
  id = 14
  token = "glrt-****"
  token_obtained_at = 2024-12-03T10:37:03Z
  token_expires_at = 0001-01-01T00:00:00Z
  executor = "docker-windows"
  shell = "pwsh"
  [runners.custom_build_dir]
  [runners.cache]
    MaxUploadedArchiveSize = 0
    [runners.cache.s3]
    [runners.cache.gcs]
    [runners.cache.azure]
  [runners.feature_flags]
    FF_NETWORK_PER_BUILD = true
  [runners.docker]
    tls_verify = false
    image = "mcr.microsoft.com/windows/nanoserver:ltsc2022"
    memory = "8g"
    cpus = "3"
    privileged = false
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["c:\\cache"]
    shm_size = 0
    network_mtu = 0

[[runners]]
  name = "windows-shell-runner"
  url = "https://git.xxxx.net"
  id = 15
  token = "glrt-****"
  token_obtained_at = 2024-12-16T09:34:22Z
  token_expires_at = 0001-01-01T00:00:00Z
  executor = "shell"
  shell = "pwsh"
  [runners.custom_build_dir]
  [runners.cache]
    MaxUploadedArchiveSize = 0
    [runners.cache.s3]
    [runners.cache.gcs]
    [runners.cache.azure]

Used GitLab Runner version

Version:      17.6.0
Git revision: 374d34fd
Git branch:   17-6-stable
GO version:   go1.22.7
Built:        2024-11-20T09:30:37+0000
OS/Arch:      windows/amd64

Possible fixes

The only way I can work around the problem is to manually change the credentials in the C:\Windows\System32\config\systemprofile\.docker\config.json file and restart the Docker service. However, the Windows shell executor overwrites them when I build a new version of the base image and the downstream pipelines stop working again.