Monday, January 10, 2011

Printing from an iPhone, iPad or Mac using AirPrint, Bonjour in an Active Directory domain

AirPrint is a new feature of the 4.2.1 iPad and iPhone iOS.

It relies on Bonjour for service discovery.

Since several corporations have already started to integrate iPad, iPhone, and Mac in their assets, some people maybe wonder how to allow these peripherals to print on Windows Servers in an Active Directory environment.

In that article, I will explain the questions you have to wonder before starting such a task , and how to achieve that goal with success!

1/ Analyse on which print server(s) you want users to be able to print using their iPad / iPhone:

1.1/ check the requirements

- the right to perform administrators operations on the print server

- the ability to install services on the print server

- the print servers have to be on the same subnet as the iPad/iPhone/Mac

1.2/ Note

The following steps and screenshots are performed on a Windows 2008 R2 server, which is an x64 Windows OS. There should however no exist huge differences if you would perform these steps on Windows Vista, 7, or Server 2008.

2/ On each one of these servers, perform the following tasks:

2.1/ Download the AirPrint service

2.2/ Install and register the AirPrint service

Run the Windows Command Prompt "cmd.exe" as a local administrator:

2.2.1/ If you are running an x86 Windows OS

Put the airprint files in a newly created directory: %ProgramFiles%\AirPrint\

Then, in the CMD prompt, run:

sc.exe create AirPrint binPath= "%ProgramFiles%\AirPrint\airprint.exe -s" depend= "Bonjour Service" start= auto

2.2.2/ In case you are running an x64 Windows OS

Put the airprint files in a newly created directory: %ProgramFiles%\AirPrint\

Then, in the CMD prompt, run:

sc.exe create AirPrint binPath= "%ProgramFiles% (x86)\AirPrint\airprint.exe -s" depend= "Bonjour Service" start= auto

Since we indicated the AirPrint service depends on the "Bonjour Service" (see the command above and the screenshot below), we now have to install the Bonjour Service.

2.3/ Download and install the Bonjour Print services for Windows

2.4/ Check the Bonjour service is running

Once installed, you can run services.msc to see that the Bonjour Service is now started.

If it is not the case, then within the cmd.exe prompt, run:

sc interrogate "Bonjour Service"

Thus we have to start the service:

And then check it is started:

2.5/ Start the AirPrint service:

and then check it is actually started:

2.6/ Allow AirPrint traffic through the built-in OS firewall:

Either by GPO, or locally on the print server, create an Allow rule for the AirPrint service:

Specify the path of the airprint service.

Please note that in the following screenshot, it is written so because airprint.exe is an x86 executable and I am running it on a Windows x64 server, thus just remove the " (x86)" part if you are running it on an x86 server:

Since we are not yet able to enforce IPSec policies on iPad and Iphone, just choose "Allow the connection":

Finally the rule is now created and active:

2.7/ ACL - Allow the users who will print the right to print on that server

The default permissions allow the well-known SID "Everyone" to print.

Please note that all domain users will have that SID:

2.8/ ACL - Allow the users who will print the right to log on on the print servers:

I agree this step sounds a bit weird for those who security is a main concern.

2.8.1/ Kerberos authentication

Please let me explain why this is needed:

- in the configuration we made, the built-in service airprint.exe does not run under a specified identity

- nor it has a kerberos SPN

thus built-in Kerberos authentication will not work for that service (an NTLM negociation will actually be performed)

2.8.2/ The airprint service requires the user to log locally.

At this point I did not find a better way to handle this in a more secure way.

Here are the two available options:

- grant the users the right to log on on the print server (if the server is well patched, and the corporation security policies are well applied, this is not a major security issue)

- OR grant these users the "Print Operators" memberships (this is a more important security concern, since the users would be able to change printer settings on the print server. I personally think this is a wrong choise).

In order to grant them the right to log on on the print server, you have to create a special GPO grant the user who will print the right to log on on the print server

Create a GPO targeting the selected print servers. This is a Computer Configuration.

For instance, in the following screenshot, I allowed the "CORP\Employees" security group the right to log locally on on the print server:

Please note that I will later write a blog article on how to finely manage the rights you assign to administrators whom you do not trust a lot.

2.9/ Install and configure your printers

3/ Enjoy !

Please keep in mind the iPad/iPhone/Mac have to be on the same IP subnet as the print servers, for the Bonjour discovery protocol to work.

When it is the case, you can now select the printer you want to print on and, you juste have to enter your corporate username + password, and it will print like a charm!

Sunday, July 18, 2010

virtual-win-lab-mgmt is now open-source

virtual-win-lab-mgmt permits an easy virtual lab deployment and management in a minimalist Hyper-V environment: even without an Active Directory domain or without tools such as SCVMM.

Initially developped within 3 days, virtual-win-lab-mgmt already was 900+ PowerShell SLOC long. This tool was widely used for preparing and managing the virtual labs of the Microsoft TechDays 2010, Paris, France.

This project is hosting on the Google Code repository.

Saturday, July 17, 2010

Secure and easy ucarp ip-failover using ucarp-multi

ucarp-multi is an extension to the ucarp package, providing an easy way to set-up ipv4 failover within several hosts, and for several sub-interfaces.

This package is hosted on

Thursday, July 1, 2010

Voyage-Sncf: security design flaw, the trip reservation website of the main french rail company, is one the most important websites on the french IT market. Each day seven thousands of train tickets are bought on that precise website.

How crazy is it that my browser was telling me "This is a non-secure form".. blabla (see the screenshot above)?
Since I already was on an https webpage, I figured the form was sent unencrypted...

It would be too much unbelievable to be true. Maybe is-it a Safari bug?
However, after having a quick look at the source code, - by the way please double check the highlighted URL - where the form is submitted:

This is just crazy! The form is sent to an uncrypted webpage (the URL does start with http:// and not https://) After some recent privacy issues with a lot of names released cause of a lack of security issue, I just find it unbelievable such lack of rigor in the way programmers did build this application.

Tuesday, June 29, 2010

Random thoughts to improve voice recognition

As stated once more, and this time on this ITWorld article, relative to Google making Google Voice available to SMB, improvement still has to be done on the voice recognition topic.

More and more editors already did add a voicemail to email transcript service. A service, of which precision is not really the main concern: sometimes even numbers are not correctly recognized!

Just a thought on that topic, maybe researchers could:
- add several noise filters
- recognize the language
- recognize the accent
- build a recognition model for each language and for each accent, or at least a global model for each language, and a global one for each accent
- train these models on a representative set

Monday, June 7, 2010

DNS dynamic secure updates credentials

As soon as Windows Server 2003, Microsoft introduced the DNS dynamic secure updates.
This mechanism permits authorized hosts such as DHCP servers, for instance to update DNS entries, thus resulting in a lot of "automatically-managed" DNS records. Thus reducing the amount of manual administrative tasks.

In order to configure this mechanism:
1/ create an update account, member of the DnsUpdateProxy security group

By default, the DnsUpdateProxy security group is located under the container Users of your domain.

In my example, I created an account named DNSSecureUpdateAccount.
You then have to update its group membership to set it as a member of the DnsUpdateProxy security group.

Also keep in mind there are several security consideration regarding the password complexity and the password expiration of this account. You should think twice about these factors.

2/ configure DNS secure updates credentials in the DHCP snap-in
Within the DHCP snap-in:
- right-click IPv4
- then go to properties

- then the Advanced tab

- then on the Credentials button, fill in the user account previously created.

3/ enable DNS secure updates
- go to the DNS tab
- under "Name Protection", click on the "Configure" button
- then check the box according to the screenshot:

- The DNS tab now does look like:

4/ Only allow dynamic secure updates in your DNS servers
- foreach DNS server:
- within the DNS snap-in:
- navigate to the Forward Lookup Zone, then to your domain
- right click > Properties

- Then under "Dynamic updates" set them to "Secure only"

5/ Enjoy !
Just as a test,
- I turned off a domain computer named vm1 (which was DHCP configured) (actually it was a virtual machine ;)
- then I manually deleted its DNS record on all DNS servers
- I also scavenged the records, and cleared the DNS caches
- nslookup vm1 : no entry
- I then powered it up and did a DNS lookup, and it just worked like a charmed!