That’s really great info. what about this question: How does AAD Auth Kinetic Login work with AD based permissions in SQL Backend? we’re on SQL 2019, which I don’t believe supports AAD Auth (need 2022 for that)
I assume the reason you are asking this is that you are hitting the database directly in customizations or integrations. Opening up database access to other clients increases the attack surface of your ERP data, so I try to avoid it. Standard Kinetic does not require clients to have direct access to the database, so no extra permissions are required. All access to the database is through the App Server which communicates with the database. As long as the client authenticates with the App Server (Basic Auth, AD or Entra ID/Epicor IdP) then access to the database is taken care of for you.
Mark, let’s assume no customizations/integrations in play. The appserver accesses the database via a domain account / Windows authentication. If our long-term goal is to phase out on prem AD, how do we connect appserver to SQL? Do we use SQL Logins with username/password entered in the Admin Console? Or would/could/should Azure AD ever come into play?
I don’t think Entra ID will come into play until Epicor certifies SQL Server 2022 or Azure SQL. Until then it’s SQL Logins and AD.
1 Like
Slightly off the topic, but do you have any shared resources that will require on prem AD server for authentication? We’ve been discussing the same idea of eliminating on prem AD but won’t be able to because of this. Mainly, it’s our Firewall that authenticates our VPN connections, and a few other things. And if we can’t get rid of it yet, then we might as well use it.
This is the broader project that @ericflaherty is investigating for us… I’m only helping to look at Epicor/SQL.
Honestly, there’s no technical reason to have ERP and the SQL Server on the main domain. Just use a workgroup. 
Like the SaaS folks, the main domain users would only use HTTPS to access the app servers. You’d get a little segmentation too if the main domain (where email and browsing occur) was popped.
As for VPNs, there are better solutions these days. Edge devices are getting pwnd on the regular these days.
Instead of VPNs that give access to the whole network upon login, the cool kids are using things like Tail Scale. And now Microsoft is just getting into the game of eliminating traditional VPNs with Security Service Edge (Great explanation by John Savill).
2 Likes
True, and that is some good info. I’ll check into it. Our investment in hardware is working very well for our dedicated remote office VPNs (device to device), but for the few who access remotely/directly via VPN we might look into a different option. But I’d like to get rid of them altogether. We were considering using Azure App Gateway instead of VPN’s altogether, but that is clunky. I need to get off the classic interface for the best paths forward, but that won’t be for a while.
Switching to a firewall that would allow SSO with Azure AD allows you to add in MFA for that added layer of security.
In our case we’re still capturing anything that is AD integrated, but most has or can be phased out or migrated to azure AD.
Exactly - We’re hoping the Azure AD MFA connection is available on our device shortly. Then a few more things internally and maybe we can get rid of on-prem AD
True. Epicor still needs to add Entra ID for an authentication method in the Database Connection tab before we can take advantage of it.
2 Likes
?And speaking about SQL Server Security, this is the topic this week on the Azure Security Podcast.
EPISODE 88 - DECEMBER 1ST, 2023 - [ATTACKER’S GUIDE TO SECURING SQL SERVER]
Curious if anyone here running on-prem app server exposed to public via Azure AD authentication with MFA. It would mean without VPN, exposing just 443.
Also curious as to how the API can stand up against attacks.
As @Olga mentions above, you do not have to expose port 443 to use Entra ID. We currently are on-prem and use Entra ID for authentication to Kinetic 2021.2.
As for exposing Kinetic to the Internet? Personally, I wouldn’t. I would stick with a newer VPN technology like tailscale.com or, if you’re browser-based, you could do something like Azure Application Proxy.
1 Like