Does anyone have this working? I have to admit, I don’t use Azure on our current version, so maybe I should start there, but I felt like diving in whole hog.
I’m working with support and it is going well, and I do think she will figure it out, but I thought I might ask here anyway.
I got it to where the admin console is able to connect to the database with Azure.
But I try to open the client and I get Access to the path 'C:\Epicor\ERP11\LocalClients\DevK221\Config\DevK221.sysconfig' is denied.
I try going through a browser (this was the point of this exercise all along), and I get AADSTS50194: Application '3e0fc06b-[the rest of the GUID]'(ERPDEVKinetic2022_1) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.
OK, I guess this should have been obvious - I ran it as administrator and then it was OK. So the client is working now on the server and on my desktop.
I did try to follow the manual to a T for this - for a very good reason, which is that this is all new and foreign to me. But I don’t see anything in the troubleshooting section on this error. Of course, I could have made a mistake in setup, but I do think I was careful to do what it said.
I don’t see it either. The error means it wants you to make your application multi-tenant inside
App Registration/ Authentication / Accounts in any organizational directory (Any Azure AD directory - Multitenant)
But usually it was not required, afair. But you may try. Also, be aware that changes in AAD happen not immediately, you need to wait for several minutes.
UpdatingAzureADConfiguration.pdf (95.5 KB)
I have excerpt of doc attached, for the changes that should be made for existing application.
Please verufy that you have it all setup.
I guess I’ll try it, but it does not sound terribly secure. I guess since I have to correlate all Epicor users to their External Identity (in our tenant), I do still have absolute control over not letting joe@hotmail.com get in.
You are right, you still need to map users. But you probably need to report it to support, i think it should not be required to setup multi-tenant application for this.
I wonder if we miss some other setting here, because so far it was not required. Did you create brand you application or changed old from previous releases?
…/home and …/apps/erp//home are poinst to the same place, but AAD does not know it.
I think it depends on what address you used to start your UI? Though I am not sure.
You should probably report it too.
Ah I see that now. I have an old bookmark in Chrome to the home page for 10.2.700 and I just modified it to point to the dev server. But I don’t need the apps/erp/ business in there at all.
But it consumed both a Default license AND a Data Collection license simultaneously. In EAC I deleted the Default session and my browser said my session was deleted, so it really does seem to consume both types at once.
Also for the MES experiment, I had to add another redirect URI of https://server/kinetic202xx/Apps/ERP/home/azuread-redirect.html. You say, “But Jason, that’s the same as the one from earlier!” Oh no it’s not, because apparently Azure is case-sensitive. Also had to do the multi-tenant trick here to see the true error again.
And then to get the EAC working for the Azure AD deployment, I had to populate those Azure settings (third tab) even though the guide says you don’t.
Oh, and you need a non-Azure endpoint first in order to set the settings inside Epicor. That soapXML one being key, I think.
Sorry this is all roughshod off the top of my head. It’s been a long few days.
Well maybe I lied… I just opened the Azure settings and it says multi-tenant. I’m sorry, I really thought I switched it to single. Or maybe someone else changed it (I kind of doubt it, though).
Regardless, I switched it to single now and now I can’t log in in the browser.
Sorry, I really can’t look at this today, but I wanted to at least update this with the mea culpa.
I know this is a few months old but we are starting to test out the 2022 version and noticed the same thing that the application registration must be in Multi tenant has there been a fix found for this yet? the Desktop client works fine with Azure Auth but Browser seems to have to be set as multi tenant
I have the same issue, and reported it to Epicor Support. This was the response:
“The setting of the multi-tenant function is not unique to Epicor ERP and depends on the Azure AD tenancy/subscription of the customers. Depending on the type of the Azure subscription of our customers, the Single/Multi-Tenant binding must be used.”
Not a satisfactory answer in my opinion, but after going in circles with support I settled with using MultiTenant option for now. We are on-prem and our Epicor system is not exposed to the outside world (yet). I will revisit it again if it is not fixed by the time we do.
