E10 and user account passwords

Are there many people that don’t use the Windows Bindings for the App Server instance?

I kind of thought that was the dominant method, and using that makes E10 user accounts automatically SSO.

No?

Id’ say is quite the opposite. 99% of our users use regular old username and password. Traditionally the SSO implementation has been quiet problematic (in the past)

1 Like

I’m probably using the wrong terminology. We don’t have “SSO” enforced, but rather, each user account specifies their domain and user name. If you are logged into the domain, and launch E10, the account associated with your domain login info is used to select the e10 user account.

Hence why “Change User” doesn’t do anything. You have to launch E10 with a right click and select “Run As…”
And even then, you must know the other users domain login info.

I don’t think any of our E10 user accounts have a password assigned.

You are not using the wrong terminology. The fact still remains (in my experience) that the great majority of users are not using Single Sign on or Windows Auth with Epicor. (Though that has started changing recently with improvements in 10.1+ )

1 Like

Thanks.

Seemed like the E10 installation guide leaned towards using Windows Auth. That’s why we wen with that.

1 Like

Not that this happens often but we’ve had instances where Active Directory goes down or something else happens and then everyone (including admin) is locked out of Epicor. And the only solution is to create a whole new app-server / change the binding from WindowsAuth to get in-tehre and reset things… Again doesn’t happen often but when it does is a giant PITA
We always recommend that at least 1 user not be set to SSO and that at least for “admin” purposes there should exists a non WindowsAuth binding (HTTPS, HTTP, or WindowsUserNameChannel)

1 Like

Here is another problem with Single Sign on.

You log into your Windows PC.

You run out to lunch or grab a cup of coffee.

Someone with bad intentions walks up to your PC, and launches Epicor with your full rights…

And if you run out with Epicor already open? :wink:

WinLogo + L for the win!

3 Likes

Yes, but to novice users, it’s obvious to them when they walk away from their PC that they left Epicor wide open. Not so obvious when they are just at their desktop.

Remember, these are the same users who will click on a ransomware link because they really think Apple wants to give them a new iphone and the same IT department that keeps all their backup’s on a NAS just waiting to be encrypted by ransomware.

@mchinsky - Set up an auto-lock group policy that locks the windows workstation (same as Win+L) after 5 minutes (and then listen to the complaints roll in!)

2 Likes

@Bart_Elia (or @Rich or @bconner) will correct me if I’m incorrect - which is quite possible, Azure AD (HttpsOffloadBinaryAzureChannel) works like your O365 services. First you register the Epicor application in Azure. When you launch Epicor, it still goes out to Azure and you confirm it’s you with your username/password and optional third-party authentication and a token is returned to Epicor if successful. This token can be used for all Epicor communication for some given period of time. I noticed that I had to authenticate with every login of Epicor, which is unlike what @mchinsky describes with the Windows authentication.

I’m guessing part of the reason I can’t get Azure AD in Dedicated Tenancy yet is for the very reason that @josecgomez mentioned. They’d have to add another application server to every tenant who uses Azure AD otherwise if Azure AD were unavailable, or we’d have to add all Epicor Admins to our AD. :face_with_raised_eyebrow: The goal of Cloud services is to keep things similar to keep it simple to manage. So we tested Azure AD outside of the Tenancy and it worked great. Just need to find a way for cloud users to authenticate in the cloud. :thinking:

Mark W.

Yeah, in college we wrote a script that would log you out upon login. Never leave your workstation insecure! I did it once here and my boss wrote an email from my Outlook calling him, uh, something bad and then emailed it to himself. Then he asked me, “Do you have a problem with me?” Why? “I read your email.”

Doh.

1 Like

Wow … You give your workstations pep talks?

:wink:

2 Likes

Security NO NO, NEVER walk away from your PC without locking it.

1 Like