10.2.600.5 Enterprise Search: Access Denied (BO.APIKey)

I’m trying to re-deploy Enterprise Search in my live environment after I upgraded from to 10.2.600.5 last night, but I’m running into some odd error.

I deployed the extension without issue. It uses a wildcard cert issued from a CA. I did create the DB on the deployment, so it’s brand new.

I can see the windows service is also running under the correct account as defined in the Service Account config.

In the Enterprise Search Management, I registered the search server with valid configurations and am able to ping both the server and port used for search service without issue.

There are no indexes (indices?) under the Search Index node, so I go to Create Index and select the Epicor ERP template and click next


When I select the Windows endpoint binding and enter in my server and click Validate Connection to Continue, it throws this error:

System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: Access denied (BO.APIKey).

Contact your System Administrator to ensure you have access. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is:
Epicor.Search.Exceptions.EpicorSearchException: Unable to test application server connection. Reason: Access denied (BO.APIKey).

Contact your System Administrator to ensure you have access. ----> System.ServiceModel.FaultException: Access denied (BO.APIKey).

Contact your System Administrator to ensure you have access.

Server stack trace: 

   at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)

   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 

   at System.Runtime.Remoting.Proxies.RealProxy.HandleRe...).

In the Server Log (right click on the search server>Show Server Log) it gives a bit more info related to a certificate type error (scrubbed the service account for security but it’s the same account the service is running under):

Hosting: [{serviceAccount}] [08/15/20 13:04:51] [4] Error initializing service 'SearchAccess'. Ex: System.InvalidOperationException: Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindBySubjectName', FindValue 'localhost'.
   at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(StoreName storeName, StoreLocation storeLocation, X509FindType findType, Object findValue, EndpointAddress target, Boolean throwIfMultipleOrNoMatch)
   at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStore(StoreName storeName, StoreLocation storeLocation, X509FindType findType, Object findValue, EndpointAddress target)
   at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(StoreLocation storeLocation, StoreName storeName, X509FindType findType, Object findValue)
   at System.ServiceModel.Configuration.X509RecipientCertificateServiceElement.ApplyConfiguration(X509CertificateRecipientServiceCredential cert)
   at System.ServiceModel.Configuration.ServiceCredentialsElement.ApplyConfiguration(ServiceCredentials behavior)
   at System.ServiceModel.Configuration.ServiceCredentialsElement.CreateBehavior()
   at System.ServiceModel.Description.ConfigLoader.LoadBehaviors[T](ServiceModelExtensionCollectionElement`1 behaviorElement, KeyedByTypeCollection`1 behaviors, Boolean commonBehaviors)
   at System.ServiceModel.Description.ConfigLoader.LoadServiceDescription(ServiceHostBase host, ServiceDescription description, ServiceElement serviceElement, Action`1 addBaseAddress, Boolean skipHost)
   at System.ServiceModel.ServiceHostBase.LoadConfigurationSectionInternal(ConfigLoader configLoader, ServiceDescription description, ServiceElement serviceSection)
   at System.ServiceModel.ServiceHostBase.ApplyConfiguration()
   at System.ServiceModel.ServiceHostBase.InitializeDescription(UriSchemeKeyedCollection baseAddresses)
   at System.ServiceModel.ServiceHost..ctor(Type serviceType, Uri[] baseAddresses)
   at Epicor.Search.IndexerSvc.WindowsService.AddSearchService().
Administration: [{serviceAccount}] [08/15/20 13:05:33] [9] Unable to retrieve company list. Reason: Access denied (BO.APIKey).

Contact your System Administrator to ensure you have access.
Administration: [{serviceAccount}] [08/15/20 13:10:48] [8] Unable to test application server connection. Reason: Access denied (BO.APIKey).

Contact your System Administrator to ensure you have access.
Administration: [{serviceAccount}] [08/15/20 13:19:29] [69] Unable to test application server connection. Reason: Access denied (BO.APIKey).

Contact your System Administrator to ensure you have access.

I didn’t see this in the install instructions, any ideas?

Sounds like a very similar issue, but I am not using a self signed cert

I am doing an upgrade to 10.2.600.9 this weekend. I ran into a different error with Enterprise search but this is after it was deployed and indexed related to not changing the Enterprise Search in Company Maintenance to the FQDN like I did for the Search Server to match the Self Sign Certificate.

Did you bind the wildcard certificate from the CA to the Default Website?

From the information you have given and you have verified the binding of the wildcard certificate to the Default Website, I think your issue is maybe your Endpoint format. I cannot see the Endpoint but the format should be net.tcp://serverName/SiteName/. Is the Endpoint setup like this?

The other thing I think it might be is the service account does not have permissions probably in Windows but maybe in Epicor.

-Did you notice that in 10.2.600.6 or later you will have to redeploy Enterprise Search again?
-If you use Active Homepage (Kinetic) and have multiple companies, you should be at 10.2.600.7 or newer otherwise users will have to switch companies, close Epicor client, and open Epicor client again to use menus in company switched to.

1 Like

Yes the wildcard cert it bound to the default site and is the same one I chose for deployment of enterprise search.
I am using Windows binding for that environment and did verify my endpoint is correct. I also tried giving this service account the “enterprise search” security group but that’s seemed to have no effect on the behavior. The service accounts I’ve tried are all related to epicor and have no issues otherwise so I think it’s definitely a bug here, or at least some pretty terrible documentation on a standard install.
I don’t use active home page and we aren’t multi company thank goodness. I turned enterprise search off since we don’t really use it anyways

I do not think too many people use it at our company either.

-Does the service account have local administration permissions on the server?
-Where is the certificate installed? (eg Trusted Root, Personal, Both)
-Have you tried restarting the App Pool for Enterprise Search?
-Have you tried restarting the App Pool for App Server?
-Have you tried restarting the server since setting up Enterprise Search?

Wonder if this is a bug in 10.2.600? I deployed Enterprise Search the same way as you including a CA wildcard in 10.2.400 and don’t get an error. I’m going to be standing up our 10.2.600 test environment in the next week or so. Will be interested to see if I get the same error.

-I don’t think so but I’ll check, they are limited to their function so likely not admin but I’ll check
-personal, Should it also be in trusted?
-restarted app pools for epicor and enterprise search
-didn’t restart whole machine though

Good questions, I think either I did something funky or there’s a bug :bug:

Do it now so we can confirm :wink:


1 Like

@pmchikes Thanks. Yes, we do have an issue with switching plants with Active Home Page. It’s on 10.2.600.6.