There are TLS issues with our cert, but I am 99% confident that they are not the source of the 401 error. I seem to remember that there is a place to configure the REST api on and off, and that is where I’d like to start looking but I haven’t found it yet. It wasn’t in the Epicor Admin Console, from what I could tell. I lack familiarity with Epicor as a whole. I worked with it about once a year, whenever we move prod data back to other environments. I don’t remember this issue the last time. We are on the latest v10 I believe.
It is just basic. There is a user and password stored in Epicor itself. You can see that I provide it in the HTTP headers when using the “token service”.
I didn’t ever do anything with the API key yet, but I saw it in the epicor admin console. I will google for that if you think it is relevant. (it certainly sounds relevant).
FYI, I’m a programmer on the client-side and I rarely interact with the server. I certainly never provided an API key to the REST api in the past. Is that a V2 thing? (possibly not relevant to V1 which I’m using in this case).
I’m going to close this. I am almost 100% certain that the requests that are failing (401) are related to IIS misconfiguration. These requests are probably not even reaching any Epicor software in the first place. The content bodies of the 401 errors look very generic, and I am pretty confident that I can’t generate a token, since the initial tokenservice is not reachable with anonymous access. (or something along those lines).
I’ll re-post if/when I have evidence that it is actually related to the Epicor software.
Thanks, I’m waiting on other teams to answer some of these questions. I didn’t want to have to hold up the forums while I wait. As a software developer, I don’t really have enough access to the Epicor deployment environments.
Thankfully we have an environment that currently works (production) and some environments that don’t, so I suspect if we are motivated it shouldn’t be long until we compare all the configs and find the source of the IIS auth issue.
It is possible that someone (or some agent) has unknowingly broken our anonymous sites deliberately because of concerns related to the “anonymous” access… Not sure, just guessing based on the fact that things used to work and now something changed and the API doesn’t work anymore.
