Absolutely, but if you’re having trouble then I have no hope 
haha I may or may not be waiting for you to figure it out LMAO. I tried for an hour or two if I have time next week I’ll tackle it, but hopefully you’ll get it before then haha!
Or we can both beg @Bart_Elia or @Olga to make a post about it… Please? LoL
1 Like
FYI I also put a ticket into Epicor regarding this, case CS0000992819 last week but haven’t heard back yet. Not sure but I’m guessing that consultants have a little more pull when it comes to getting a response with support.
LoL Customer’s are always first 
only “pull” we have is because we know people and make friends, but generally speaking customers have the upper hand always (as they should)
4 Likes
I thought you only need it to test from Postman? otherwise why just don’t go with windows auth?
I apologize if this is obvious to you, but this is all new to me so I appreciate your patience.
We are integrating an external customer facing website with the ERP. To connect, we are going to use the REST API.
Postman is simply a REST client that I have used, but I have also tested this with other REST clients with the exact same result. Our website development vendors are asking me why the Epicor application keeps expiring the password that I give them. After the password “expires”, I reset it using the “Expire Password” button in the user account maintenance. This temporarily allows the same user credentials to be passed from any REST client, but will expire after 3 calls.
In all situations, we get the same results. I have passed with windows credentials as basic authentication and also as the NTLM authentication, but the password always shows expired through any client after three tries.
I have passed with windows credentials as basic authentication
When REST is using Windows auth, there should not be any basic authentication. You open Help page for example and you see it without entering name and password. Same is with REST calls - no need to specify any name and password.
does REST help works for you without entering name and password?
They will be calling the API from a completely external network. We have a interface that will be exposed to the internet that will allow their IPs to have limited access to the network, which is why we need to be able to authenticate the call.
When inside the network, the REST Swagger page does not prompt for credentials.
I do not understand how I can authenticate the user without using a username/password if they are outside the network
1 Like
I am late on the conversation and totally guilty of not reading the full thread so just tell me to get lost if I am off base. When you expire the password do you log into the Epicor client and then enter a new password or login as SSO? That would be the reason you keep having it go to expired.
1 Like
I see, for external framework you cannot use windows sso. So you have to use basic auth for them.
Login into ERP. Do you see Change password item in the UI settings? It should setup password for Epicor user and it would not expire after that.
2 Likes
I made the change and it seems to be working! Thank you so much.
I will keep an eye on it and mark this as solved after it’s verified
@josecgomez thoughts?
1 Like
You have a few options here and I hope to not confuse you more. You really need someone to review your security boundaries to ensure you have what you want lined up.
For internal using Windows instead of Epicor Username / Password makes a ton of sense. No Basic Auth, only Windows.
For ‘External’ access systems, you have a couple of choices. You can use use Epicor Username/password and Basic Auth but you can also use Windows in some scenarios. That’s what needs a review.
For example, the ‘external app’ could be an IIS app running with an app pool as ‘MyDomain/MyApp’ - in Epicor you could map that ‘MayApp’ identity to a user to authenticate against. You could use ‘OnBehalfOf’ headers to tunnel into the system. Lots of options that should be reviewed for your scenario and needs.
I wish I knew more about this, and I really appreciate the dialog!
Below is the basic architecture.
Our servers are housed in a public virtual cloud in a large data center. We have a load balancer that lives in a DMZ. The cloud’s firewall allows in only the IPs from the web develoment company servers into the load balancer. From there, depending on the request url, the load balancer will route the request to the appropriate app server inside the environment. The Epicor app’s run internally with single sign on defined at the IIS level.
This call from the external app to our ERP will be the only instance of an external application calling it and wouldn’t really have any other need for a windows auth scenario.