I’ve just implemented Authlite MFA for domain admin users. I have 4 domain admins that utilize epicor. I do not want to remove their domain admin privilege’s and create new windows accounts solely for DA purposes.
I have found that when attempting to login to epicor with my username: JOHNDOE password: johndoe when logged in with my domain account Domain\jdoe which utilizes Authlite MFA that the security audit fails with NULL SID because the MFA software adds the security passcode to my account name (jdoe-951398). It then just sits there attempting to connect.
If I logon to the domain computer without an MFA account I can login to epicor without issue.
What can i do to allow me to login to epicor with my domain account which has MFA?
This is a best practice from a Zero Trust networking perspective: give least privilege to get the job done. Epicor doesn’t need DA rights.
We have our regular account with email. We have an application admin account for Epicor with NO Email Accounts to prevent phishing. Finally, there are Domain Admins (also NO Email Accounts) for domain work only. Some companies lock down the Global Domain Admin to only be able to work at a specific workstation. It’s a PITA but it keeps your network safer.
To get MFA with Epicor, I think your only path is Azure AD. As mentioned in other posts, Microsoft is moving toward “Modern Authentication” and away from Active Directory.