Monday, January 10, 2011

Printing from an iPhone, iPad or Mac using AirPrint, Bonjour in an Active Directory domain

AirPrint is a new feature of the 4.2.1 iPad and iPhone iOS.

It relies on Bonjour for service discovery.

Since several corporations have already started to integrate iPad, iPhone, and Mac in their assets, some people maybe wonder how to allow these peripherals to print on Windows Servers in an Active Directory environment.

In that article, I will explain the questions you have to wonder before starting such a task , and how to achieve that goal with success!

1/ Analyse on which print server(s) you want users to be able to print using their iPad / iPhone:

1.1/ check the requirements

- the right to perform administrators operations on the print server

- the ability to install services on the print server

- the print servers have to be on the same subnet as the iPad/iPhone/Mac

1.2/ Note

The following steps and screenshots are performed on a Windows 2008 R2 server, which is an x64 Windows OS. There should however no exist huge differences if you would perform these steps on Windows Vista, 7, or Server 2008.

2/ On each one of these servers, perform the following tasks:

2.1/ Download the AirPrint service

2.2/ Install and register the AirPrint service

Run the Windows Command Prompt "cmd.exe" as a local administrator:

2.2.1/ If you are running an x86 Windows OS

Put the airprint files in a newly created directory: %ProgramFiles%\AirPrint\

Then, in the CMD prompt, run:

sc.exe create AirPrint binPath= "%ProgramFiles%\AirPrint\airprint.exe -s" depend= "Bonjour Service" start= auto

2.2.2/ In case you are running an x64 Windows OS

Put the airprint files in a newly created directory: %ProgramFiles%\AirPrint\

Then, in the CMD prompt, run:

sc.exe create AirPrint binPath= "%ProgramFiles% (x86)\AirPrint\airprint.exe -s" depend= "Bonjour Service" start= auto

Since we indicated the AirPrint service depends on the "Bonjour Service" (see the command above and the screenshot below), we now have to install the Bonjour Service.

2.3/ Download and install the Bonjour Print services for Windows

2.4/ Check the Bonjour service is running

Once installed, you can run services.msc to see that the Bonjour Service is now started.

If it is not the case, then within the cmd.exe prompt, run:

sc interrogate "Bonjour Service"

Thus we have to start the service:

And then check it is started:

2.5/ Start the AirPrint service:

and then check it is actually started:

2.6/ Allow AirPrint traffic through the built-in OS firewall:

Either by GPO, or locally on the print server, create an Allow rule for the AirPrint service:

Specify the path of the airprint service.

Please note that in the following screenshot, it is written so because airprint.exe is an x86 executable and I am running it on a Windows x64 server, thus just remove the " (x86)" part if you are running it on an x86 server:

Since we are not yet able to enforce IPSec policies on iPad and Iphone, just choose "Allow the connection":

Finally the rule is now created and active:

2.7/ ACL - Allow the users who will print the right to print on that server

The default permissions allow the well-known SID "Everyone" to print.

Please note that all domain users will have that SID:

2.8/ ACL - Allow the users who will print the right to log on on the print servers:

I agree this step sounds a bit weird for those who security is a main concern.

2.8.1/ Kerberos authentication

Please let me explain why this is needed:

- in the configuration we made, the built-in service airprint.exe does not run under a specified identity

- nor it has a kerberos SPN

thus built-in Kerberos authentication will not work for that service (an NTLM negociation will actually be performed)

2.8.2/ The airprint service requires the user to log locally.

At this point I did not find a better way to handle this in a more secure way.

Here are the two available options:

- grant the users the right to log on on the print server (if the server is well patched, and the corporation security policies are well applied, this is not a major security issue)

- OR grant these users the "Print Operators" memberships (this is a more important security concern, since the users would be able to change printer settings on the print server. I personally think this is a wrong choise).

In order to grant them the right to log on on the print server, you have to create a special GPO grant the user who will print the right to log on on the print server

Create a GPO targeting the selected print servers. This is a Computer Configuration.

For instance, in the following screenshot, I allowed the "CORP\Employees" security group the right to log locally on on the print server:

Please note that I will later write a blog article on how to finely manage the rights you assign to administrators whom you do not trust a lot.

2.9/ Install and configure your printers

3/ Enjoy !

Please keep in mind the iPad/iPhone/Mac have to be on the same IP subnet as the print servers, for the Bonjour discovery protocol to work.

When it is the case, you can now select the printer you want to print on and, you juste have to enter your corporate username + password, and it will print like a charm!