IPP Everywhere IPP 2.0 Server Basic Authentication

Question

We are attempting to develop and IPP Everywhere Printing Server ( IPP 2.0 ) and are having issue with Windows 10 / 11 when attempting to authenticate the clients using Basic Authentication

When we run the system as IPP 1.0 and PostScript Driver everything works as expected.

But we have now updated the server to conform to the IPP 2.0 standard, and we are able to add the printer.. but when we attempt to print and challenge the Client with a 401 Unauthorized the print job is marked as "Error" and the client is never challenged for its credentials.

We add it using the "Add a printer using the ip address or hostname" we see incoming requests using IPP v2 to the printer server, and the printer is added successfully. But when we attempt to print and challenge using Basic Auth the print fails, if we disable Auth everything works

Is there anything specific that the Windows 10/11 IPP Everywhere Drivers require ?

Answer 1

I observed the same when authentication is enabled on an IPP Everywhere print server, the driverless Windows IPP inbox class driver keeps trying the IPP Validate-Job operation (every 5 seconds). Using Wireshark, I observed IPP uri-authentication-supported is never requested, nor does it respond to the HTTP 401 Unauthorized response.

To enable authentication with the driverless Windows IPP inbox class driver, I believe you'll need to write a Print Support Apps (PSA) PrintSupportExtension that does the authentication.

More about PSA design and PSA association (for Hardware Id or Compatible Id and override for enterprise customers):

• https://learn.microsoft.com/en-us/windows-hardware/drivers/devapps/print-support-app-design-guide
• https://learn.microsoft.com/en-us/windows-hardware/drivers/devapps/print-support-app-association

Microsoft have abstracted the IPP operations in the PSA API too much so not able to do basic auth in a HTTP header using that API, so in the PrintSupportExtension, I suspect you'll need to talk directly to the IPP Everywhere print server and provide authentication before the Validate-Job operation, in effect using a side channel.

I also observed that the IPP requesting-user-name is often not correct, initially it correctly provides a DOMAIN\username account, but after a reboot it annoyingly switches to using a DOMAIN\computername$ account, but with no rhyme or reason it occasionally switches back to DOMAIN\username.

I didn't like the idea of writing custom PSA code and installing that on a clients' BYOD Windows laptops, so side-stepped the issue by writing custom authorization code in CUPS which queries a VPN API for the authorized user on the corresponding IP address.