Monday, January 10, 2011

Printing from an iPhone, iPad or Mac using AirPrint, Bonjour in an Active Directory domain

AirPrint is a new feature of the 4.2.1 iPad and iPhone iOS.

It relies on Bonjour for service discovery.

Since several corporations have already started to integrate iPad, iPhone, and Mac in their assets, some people maybe wonder how to allow these peripherals to print on Windows Servers in an Active Directory environment.

In that article, I will explain the questions you have to wonder before starting such a task , and how to achieve that goal with success!


1/ Analyse on which print server(s) you want users to be able to print using their iPad / iPhone:

1.1/ check the requirements

- the right to perform administrators operations on the print server

- the ability to install services on the print server

- the print servers have to be on the same subnet as the iPad/iPhone/Mac

1.2/ Note

The following steps and screenshots are performed on a Windows 2008 R2 server, which is an x64 Windows OS. There should however no exist huge differences if you would perform these steps on Windows Vista, 7, or Server 2008.



2/ On each one of these servers, perform the following tasks:

2.1/ Download the AirPrint service




2.2/ Install and register the AirPrint service



Run the Windows Command Prompt "cmd.exe" as a local administrator:







2.2.1/ If you are running an x86 Windows OS

Put the airprint files in a newly created directory: %ProgramFiles%\AirPrint\



Then, in the CMD prompt, run:

sc.exe create AirPrint binPath= "%ProgramFiles%\AirPrint\airprint.exe -s" depend= "Bonjour Service" start= auto



2.2.2/ In case you are running an x64 Windows OS

Put the airprint files in a newly created directory: %ProgramFiles%\AirPrint\



Then, in the CMD prompt, run:

sc.exe create AirPrint binPath= "%ProgramFiles% (x86)\AirPrint\airprint.exe -s" depend= "Bonjour Service" start= auto









Since we indicated the AirPrint service depends on the "Bonjour Service" (see the command above and the screenshot below), we now have to install the Bonjour Service.











2.3/ Download and install the Bonjour Print services for Windows








2.4/ Check the Bonjour service is running

Once installed, you can run services.msc to see that the Bonjour Service is now started.







If it is not the case, then within the cmd.exe prompt, run:

sc interrogate "Bonjour Service"







Thus we have to start the service:




And then check it is started:






2.5/ Start the AirPrint service:





and then check it is actually started:








2.6/ Allow AirPrint traffic through the built-in OS firewall:

Either by GPO, or locally on the print server, create an Allow rule for the AirPrint service:








Specify the path of the airprint service.

Please note that in the following screenshot, it is written so because airprint.exe is an x86 executable and I am running it on a Windows x64 server, thus just remove the " (x86)" part if you are running it on an x86 server:




Since we are not yet able to enforce IPSec policies on iPad and Iphone, just choose "Allow the connection":













Finally the rule is now created and active:









2.7/ ACL - Allow the users who will print the right to print on that server





The default permissions allow the well-known SID "Everyone" to print.

Please note that all domain users will have that SID:







2.8/ ACL - Allow the users who will print the right to log on on the print servers:

I agree this step sounds a bit weird for those who security is a main concern.

2.8.1/ Kerberos authentication

Please let me explain why this is needed:

- in the configuration we made, the built-in service airprint.exe does not run under a specified identity

- nor it has a kerberos SPN



thus built-in Kerberos authentication will not work for that service (an NTLM negociation will actually be performed)

2.8.2/ The airprint service requires the user to log locally.

At this point I did not find a better way to handle this in a more secure way.

Here are the two available options:

- grant the users the right to log on on the print server (if the server is well patched, and the corporation security policies are well applied, this is not a major security issue)

- OR grant these users the "Print Operators" memberships (this is a more important security concern, since the users would be able to change printer settings on the print server. I personally think this is a wrong choise).



In order to grant them the right to log on on the print server, you have to create a special GPO



2.8.2.1/ grant the user who will print the right to log on on the print server

Create a GPO targeting the selected print servers. This is a Computer Configuration.

For instance, in the following screenshot, I allowed the "CORP\Employees" security group the right to log locally on on the print server:


Please note that I will later write a blog article on how to finely manage the rights you assign to administrators whom you do not trust a lot.





2.9/ Install and configure your printers





3/ Enjoy !

Please keep in mind the iPad/iPhone/Mac have to be on the same IP subnet as the print servers, for the Bonjour discovery protocol to work.

When it is the case, you can now select the printer you want to print on and, you juste have to enter your corporate username + password, and it will print like a charm!






12 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Maeday, I am surprised users still cannot print from their apple peripheral, especially if you granted these users the right to log on on the server.

    Could you check the events in the security log?

    Cheers.

    ReplyDelete
  3. I got the Bonjour and Airprint service running on my Windows 2003 server. The only thing is it only lets the local admin print to those printers. But when I try my Domain user, which is also a domain user I get a Unknown Username and password event 529 logged in the Windows event log. Is there something special about the way the Ipad passes user information to that server?

    ReplyDelete
  4. How can i get it to work where the server is in one VLAN (static IP), the printers are in a different VLAN (static IP), and our wireless network a different VLAN?

    Our server is Win2k3(for right now). Thanks!

    ReplyDelete
  5. Seth, you have to perform L3 (network, IP) routing between your VLANs. Please search for VLAN routing on your favorite search engine. Cheers.

    ReplyDelete
  6. GarrettD78,

    I advise you first to check what is that event id 529

    from several sources it seems related to authentication.
    Here are some ideas:
    - negociation: LM, NTLM, Kerberos (if kerberos, are the SPN correctly defined?)
    - password: are you using the right password
    - logon: is the user authorized to logon on that printing server?

    If I remember correctly, the iPad does correctly handle a kerberos authentication (if you only have one domain, try authenticating without the REALM (domain @blabla.com or BLABLA\) first, then try with the classic BLABLA\user then user@blabla.com
    And see if there is any change in that.
    If not, it is either related to the authentication negociation, or to a user privilege / right.

    Hope this helps.

    Cheers.

    ReplyDelete
  7. Thanks! i will pass it along to our net admin to look into further.

    I also set up a XP test box with a static IP that is on the wireless VLAN, installed a test printer, and shared that printer. However when i go to my iOS device, it tells me no printers can be found. The switch port that the test box is using is configured to use the Wirless VLAN as the default VLAN id.

    ReplyDelete
  8. Thanks. Helped me get it working on the domain. I setup users who need to print from iPad/iphone as Print Operators as the print server is also a DC and I am not keen on allowing local logon to it. Is there not a way to run the airprint service as an account that can have permissions to do kerberos if you created a user for the service?
    One thing I was a bit worried about is that when I set the users as Print Operators, it printed without asking for a user/pass at all. Perhaps it remembered it from previous attempts.

    ReplyDelete
  9. I setup airprint in Windows 2003 follow the above step but I can't see the printer in iPad.

    ReplyDelete
  10. Thanks for sharing this great article about security printing..
    ""ANY security printing "

    ReplyDelete
  11. Not the most secure method, but create an administrator account locally on the machine running airprint, then from the network user's account where airprint installed, go to services AirPrint>Properties>log on>This account (choose the newly created local admin)> enter password> ok> restart service.

    From iPad, enter the local admin username and password and you are good to go.

    ReplyDelete
  12. Not the most secure method, but create an administrator account locally on the machine running airprint, then from the network user's account where airprint installed, go to services AirPrint>Properties>log on>This account (choose the newly created local admin)> enter password> ok> restart service.

    From iPad, enter the local admin username and password and you are good to go.

    ReplyDelete