Where do we set up SSO so that it points to the correct Active Directory server? Somewhere the AD server name is hard coded and we need to update it so that Epicor can determine which server should be used for the AD lookup.
There is not a setting that dictates what Active Directory server is used for Epicor. The user settings are the only control along with a flag in the configuration file.
Is this a setting within Windows and not Epicor? In the User Settings, how does it know which AD server it is pointing to?
Correct, it will use Windows to determine this. You can run set from a command prompt to see what domain controller you are using. Look for the LOGONSERVER entry. Also, check DNS on the server and workstation to make sure they are correct for your environment.
So, we removed DSS001P from the DC locator policy, so no queries for a domain controller should be hitting DSS001P for LDAP or AD auth. However, from the logs, it looks like several app servers, like APP009P are still hitting it. Windows wouldn’t be pointed to it, as it uses the DC Locator policy. From the logs, it looks like Epicor is still hitting the old AD server directly.
You can try clearing the locator cache. Even though you have removed the domain controller it can still use the cache to find it. I believe something like
> NLTest /dsgetdc:<Domain Name> /Force
will clear it and force a new discovery. One other thing is your domain fully qualified (domain.local) or short name (domain) in Epicor?
We use the short name (domain) in Epicor. Even if we didn’t clear the locator cache, we shouldn’tt be able to use Epicor’s SSO since the domain no longer exists? If we use the short name in Epicor, how does it authenticate the lookup to the AD server?
May I know what is your current OS for AD server? Are you still with E9 now?
Sorry, I do not know that information.