IPP Everywhere IPP 2.0 Server Basic Authentication

Sixten Grevesmühl 5 Reputation points
2023-11-17T11:02:09.73+00:00

We are attempting to develop and IPP Everywhere Printing Server ( IPP 2.0 ) and are having issue with Windows 10 / 11 when attempting to authenticate the clients using Basic Authentication

When we run the system as IPP 1.0 and PostScript Driver everything works as expected.

But we have now updated the server to conform to the IPP 2.0 standard, and we are able to add the printer.. but when we attempt to print and challenge the Client with a 401 Unauthorized the print job is marked as "Error" and the client is never challenged for its credentials.

We add it using the "Add a printer using the ip address or hostname" we see incoming requests using IPP v2 to the printer server, and the printer is added successfully. But when we attempt to print and challenge using Basic Auth the print fails, if we disable Auth everything works

Is there anything specific that the Windows 10/11 IPP Everywhere Drivers require ?

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,816 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. Douglas Kosovic 5 Reputation points
    2023-11-30T21:25:16.2433333+00:00

    I observed the same when authentication is enabled on an IPP Everywhere print server, the driverless Windows IPP inbox class driver keeps trying the IPP Validate-Job operation (every 5 seconds). Using Wireshark, I observed IPP uri-authentication-supported is never requested, nor does it respond to the HTTP 401 Unauthorized response.

    To enable authentication with the driverless Windows IPP inbox class driver, I believe you'll need to write a Print Support Apps (PSA) PrintSupportExtension that does the authentication.

    More about PSA design and PSA association (for Hardware Id or Compatible Id and override for enterprise customers):

    Microsoft have abstracted the IPP operations in the PSA API too much so not able to do basic auth in a HTTP header using that API, so in the PrintSupportExtension, I suspect you'll need to talk directly to the IPP Everywhere print server and provide authentication before the Validate-Job operation, in effect using a side channel.

    I also observed that the IPP requesting-user-name is often not correct, initially it correctly provides a DOMAIN\username account, but after a reboot it annoyingly switches to using a DOMAIN\computername$ account, but with no rhyme or reason it occasionally switches back to DOMAIN\username.

    I didn't like the idea of writing custom PSA code and installing that on a clients' BYOD Windows laptops, so side-stepped the issue by writing custom authorization code in CUPS which queries a VPN API for the authorized user on the corresponding IP address.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.