Summary
Express Software Manager provides a mechanism to restrict access to the Reports and Purchasing consoles. Additionally, access to both can be further secured via settings within IIS. This technical note describes both mechanisms and how to configure them.

When you first open the ESM Reports Console or the ESM Purchasing Console, you are presented with a login screen prompting you to enter a User name and Domain name.

For Domain name, enter the name of the domain to which the machine belongs. For User name, enter your user name, which must be a valid user name in the Express Database, with permission to run the Reports or Purchasing Console.

An additional option, "Create this account if it does not exist," is available under the following conditions:

1. You are using an Express Software Manager evaluation license, and
2. An administrator has not restricted access to the Express Reports Console or Purchase Console

When this option is selected, Express Software Manager will create an account with the credentials you specified. This account will be viewable by Reports or Purchase Console administrators in the Administration Tab of the Reports Console or in the Administrative User Policies dialog box in the Administrative Console. The user will also appear in the Users panel in the Administrative Console. To restrict access to the Reports Console, select the Administrative Console's Tools/User Policies/Express Reports menu to display the Express Reports User Policies dialog box. In this dialog, select Enable Express Reports user policies and click OK. When you do this, the user account under which you are currently logged in becomes the Express Reports Administrator. As an administrator, you will now see an Administration tab when you open the Reports Console.

Now bring up the Express Reports Console and click on the Administration tab. Here you can configure Express Reports Console user roles, defining users as:

• Reports Administrators--able to access the Administration tab and assign roles to others
• Report Users--able to launch Reports, but unable to access the Administration tab
• Not Authorized-- not allowed to access the Reports Console

The Administration tab will list all users who have attempted to access the reports console. It also allows you to search for the names of discovered users and assign user roles to them. To restrict Access to the Purchase Console, select the Administrative Console's Tools/User Policies/Administrative menu to display the Administrative User Policies dialog box. In this dialog, select Enable Administrative user policies and click OK. When you do this, the user account under which you are currently logged in becomes the Administrative Policies Administrator. You can now configure Administrative permissions for users and give specified users access to the Purchasing Console as well as access to various functionality within the Express Administrative Console itself. Additionally, you can configure a message displayed to any user attempting to launch the Administrative or Purchasing Console who has not been granted access.

Note: Users given access to the Purchasing Console will automatically be given access to the Reports Console. While enabling policies as described above will prevent non-authorized users from accessing reports or purchasing, the login asks only for the name and domain of the user. For increased security you can configure the Reports and Purchasing websites to require secure authentication. Secure authentication requires use of a password along with the user name and domain. The Express Reports Console and Express Purchasing Console then ask Windows to verify the password before allowing access. To configuration secure authentication:

1. Enable "Require Secure Authentication" by going to the Administrative Console's Tools/Options dialog's Security tab and check the "Require secure authentication" checkbox
2. Configure IIS on the Express Reports and/or Express Purchasing machines to use either Windows Authentication or HTTPS (HTTP over SSL). Factors to consider when choosing which security model to enable are:
   • Using Windows Authentication provides a better experience for end users; If they are using Internet Explorer they will be automatically logged in, without having to provide a user name or password. If using other internet browsers the browser may prompt them to enter a username and password.
   • Using HTTPS may be required if your installation uses gateway or proxy servers that are not configured to permit Windows Authentication. When using HTTPS, users will need to enter their user and domain names and password to access the Express Reports or Purchasing Console.

When configuring a secure authentication method, you must configure the ESMReports and ESMReportsConsole applications in the IIS Manager for Express Reports and/or the ESMPurchasing application for Express Purchasing. See the topics below for instructions of how to enable each of these two security mechanisms in IIS.
Note: Windows Authentication may not be installed by default with Windows. If it is not already installed, use the Windows Control Panel to install this Windows component.

To configure an application within IIS to use Windows Authentication:

1. Open the IIS Manager application.
2. In the left pane, navigate to the ESM web application, and display its properties. For purchasing, this is ESMPurchasing; for reports, you will need to do steps 3 & 4 for both ESMReports and ESMReportsConsole applications.
3. Disable Anonymous Access.
4. Enable Windows Authentication.
5. Exit IIS Manager.

Note: Using SSL requires that you have an SSL server certificate installed on your web server.

To configure an application within IIS to use HTTPS:

1. Open the IIS Manager application.
2. In the left pane, navigate to the ESM web application, and display its properties. (For IIS 6, view the application's properties and select the "Directory Security" tab, and edit the Authentication and access control. For IIS7, click the web application to display Features view.)
   
   Note: For purchasing, the application is ESMPurchasing; for reports, you will need to repeat steps 3 & 4 for both ESMReports and ESMReportsConsole applications.
3. In the "Secure communications" (IIS6) or "SSL settings" (IIS7) section, click the option to require SSL.
4. Ensure that the Client Certificates option is set to Ignore.
5. Exit IIS Manager.