In our case, if the token is expired, then yes you do have to complete the authentication process again. This is EVEN THOUGH you have already signed into windows.
3 Likes
If you are using Microsoft Edge, you can configure automatic sign in if the device is hybrid or domain joined. For a brand new user, they log in once to Windows and they immediately are able to login to Kinetic without typing a username or password.
6 Likes
Now they are saying the fix is in 2025.1.12
1 Like
Because I’m on vacation I have more time than usual to comment. (Lucky you).
Yes, it feels like the definitions have changed. As mentioned, under Windows one would log in once and you got a ticket that would automatically authenticate you to other resources. Convenient, and as it turns out, insecure AF. This is how someone can send an email and trick Windows to send a ticket over the Internet without the user knowing (see Pass The Ticket, Kerberoasting, Golden and Silver ticket attacks).
While modern authentication systems also have issues with token theft, they also have more tools to combat it. And authentication companies are currently working on better security. Microsoft is not working on Active Directory since it doesn’t work with Mac, Linux, or Mobile OSs. While people can and do run both Entra and AD, it increases the attack surface adding all vulnerabilities to the user. The most recent is for Exchange hybrid users.
While it feels more dangerous to have only one ID, there are more tools to help with security: passwordless login, impossible travel checking, phishing resistant MFA, day/time restrictions, known device/health checking, and more on the way like device token binding. The other place that’s getting attention is on boarding so it’s easier to give users their roles based on their job or change in job.
3 Likes
We are at 12.1.8. Does that mean I can’t use EntraID as SSO? I have asked my MSP to take a look at EntraID. What information can I give them to make sure they setup EntraID correctly?
if you go to in your kinetic application it should show you how to configure your Entra ID (Azure AD) Identity Provider. Here is the epicor Zendesk Article. There is alot of different articles as well.
3 Likes
No, we have been using it since 2023.2. Its just buggy for some people, tokens timing out/getting signed out while working/disconnect errors at times.
2 Likes
You could always use a secure password manager like Keeper which is SSO enabled to automatically log you into sites where SSO is not an option. Keeper is what we have been using as a company for a few years and have been really impressed with the software.