Hi Team,

We were thinking to change the password for Epicor admin user ID and SQL database admin user ID for production servers. I am not not sure about the difficulty level and risk level associated with this.

From my analysis I saw internally there are many impacted areas if we change these two passwords. There is no document available to get the list of impacted spots for this change and I did not find any straight forward KB on this.

Anyone has experience on this change these two passwords on live environment? If yes, can you please share your experience how much difficult it is and risk factors of this implementation.

Thanks
Sazzad

I’d definiety make sure you have other E10 users with Security Manager rights before changing the password for the manager user.

I’ve not really got a good handle on what user/password is used where. But I can tell you some things I’ve run into.

• The user and password set in the EAC App Config -> App Server -> App Server Settings -> App Pool. Must always be active and correct. We originally used an account that required regular pw changes, and when this would expire, the App pool would stop working.
• If your App uses Windows endpoint binding, a domain user trying to do maintenance to that App, must be a Security Manager. We also setup an another App to our production DB, that uses UsernameWindowsChannel endpoint binding. This way anyone could log in as the manager (given they know the password).
• Not having the correct rights on the SQL server and App server (I’m talking about at the O/S level on the machines), can cause issues when deploying an App. Especially if you’re importing SSRS reports too.

@ckrusen thanks for your response I mean two different user ID, one is a domain user we use it as Epicor admin user…this domain user ID was used to setup Epicor apps server such as IIS, Application pool as well as database server…the 2nd user ID is SQL admin user ID “sa”…I am not sure the impact of change password for this user ID “sa”. I am trying to understand it clearly because I don’t want to take any risk on production servers.

Note that we use Windows endpoint binding. So this might not apply to you.

We use the following domain accounts for the various aspects of E10

• EAC App Config ->

  • App Pool user
    • username: our_domain\_glbl_e10
  • Database Connection
    • User: <blank> - because it is Windows binding
  • Admin Console
    • Epicor User: <blank> - because it is Windows binding
  • Reporting Services
    • Epicor User: <blank> - because it is Windows binding

• EAC, Task Agent Properties

  • username: <blank> - because it is Windows binding

• Windows Services -> Epicor ICE Task Agent 3.2.300.0

  • Logon as: our_domain\_glbl_e10

• E10 User account manager

  • Domain: our_domain
  • OS User: exas_ckrusen (my alternate domain account)

• E10 User account _glbl_e10. This account has Session Impersonation privileges.

  • Domain: our_domain
  • OS User: _glbl_e10

• E10 User account print. This account has Session Impersonation privileges. And is used by the System Agent

  • Domain: <blank>
  • OS User: <blank>

I’m not sure what the SQL end of things needs. So I’ll just list what is there (other than the built-in stuff)

• SQL Server -> Security -> Logins
  • a login for our_domain\_glbl_e10 was added. It uses Windows Authentication
  • a login for our_domain\exas_ckrusen was added. It uses Windows Authentication

Hope that helps

I changed our main admin account before we live a couple weeks ago. @ckrusen pointed out everything I would point out. The biggest thing is making sure you have another security manager account. If you don’t, you could be in a bad situation.

@ckrusen seems like it is similar like our environment. I am trying it first on a test server, I just change the domain user ID we are using and it gives us lots of error to get the EAC connected. I have fixed some errors and still it is not connected. It gives different types of error on different stages. I have’t change the password for SQL admin yet, just the domain user password. I am afraid if this same thing happen if I change the password for production server we will be in trouble. I guess this process is not straight forward to do this on production server.

@chaddb which admin account password did you reset? Is is domain user to mannge Epicor?

We use Windows endpoint binding, so the credentials of the user logged into the computer are passed onto program.

If I log into the computer running the app server as ckrusen, I can launch EAC. But I get a connection issue when I select our Production App.

That is because the E10 user associated with my ckrusen domain user is not a Sec Manager.

While logged into the App computer as ckrusen, I can connect to the app, on if I launch EAC as a different user (hold down SHIFT, and right click the EAC shortcut, and select “Run as a different user”)

I enter my credentials for my exas_ckrusen domain user and then EAC is running like user exas_ckrusen was logged into the computer. Then when I select our Production App, it connects with no problem.

Edit

In a nutshell … When using Windows endpoint binding, the user that launches EAC must be tied to an E10 user account that is a Sec Manager.

@mhossain - One more thing that took me forever to realize …

You can’t connect to a stopped App. So if you select an app that is stopped, you’ll get:

So if your like me and you tend to first select a UI control before right clicking it. You get the above. Just close that out, right click the App and select “Start Application Pool”

After it starts, right click the App and select “Connect to Application Server”

This issue has been fixed after changing the below settings.

Default Web Site–>Manage Website–>Advance Settings–>Physical Path Credentials–>Select Application user (pass-through authentication)