SSO Config file password hash

Hi Guys,
we are on 10.1 at the moment upgrading to 10.2 on the weekend.
I have an rdp server and a about 20 users which use it each with their own config file which has the password saved in each file.
With the new version i am finding that the hash is different.

Does anyone know the location of the hash seed on the client machine?

I want to just make sure it’s the same between versions so my old hash will work on the new version and i don’t have to log in to every user and save the password via the UI.

p.s. I know i should use AD sso but we haven’t got there yet!


Luckily you have waited on Windows AD SSO long enough you could jump to Azure AD if you needed to in 10.2.200

I’ll check if there is even an internal utility running around on that but your best bet is to just send them a password reset and have them change password on login.

Last week we tested the Azure AD with our Pilot database and it worked without a hitch. We saw Two-Factor Authentication working in Epicor!

Mark W.


Good news. Sitting in the background watching that demo with another customer literally right now. They are kicking the tires as well in our EMS Cloud offering.

ok i will have to login as each user and save.
you can’t really do it on a handheld screen - but i can login using my desktop and do it.

we are doing so no mfa but I am not sure i really need it inside our firewall.

when i expose epicor for mobile crm - yes we will need it then.

Ohhh you didn’t mention handheld!!

Hmmm… busy days this week (last day to lock down for Insights!) but I will check on something - no promises.

I had a quick glance.

The two way encryption uses a dotnet class wrapper over a Windows function that does the encryption based on the machine and the windows account that is logged in. For moving that between versions and boxes would be entertaining.

@PatL if you changed servers (terminal servers) then that would be your problem, or if they are logging in into another server during the testing that would be your issue.

As @Bart_Elia said the password is encrypted using the ProtectedData class ProtectedData Class (System.Security.Cryptography) | Microsoft Learn with a scope of
DataProtectionScope Enum (System.Security.Cryptography) | Microsoft Learn

Now the current user scope will let you move machines but only if the user has a roaming profile.

If you are feeling particularly bored, you could write a utility that each user would run on the current server to get the password Decrypted then run the same utility again in the new server for each user to Re-Generated the encrypted data. However it is simpler to just re-save them


Thanks @josecgomez - I was trying to remember what we did there so had to look it up. I have had my head swimming in different encryption and security lately looking ahead. Azure AD is just a start. Safe Harbor

1 Like

Sorry guys I forgot to update after i fixed it.

Turns out all the passwords are the same (I forgot i did this)
so it was just a matter of generating the hash once and reusing it.
It was all one the same terminal server.

At least i can put it in my notes for my next upgrade!
But hopefully by then i will have written a new handheld client nativley on android and i won’t need TS!