Considerations When Using Popup Authentication

KB Home   |   Considerations When Using Popup Authentication

Main.PopupAuthenticationConsiderations History

Hide minor edits - Show changes to output

July 27, 2016, at 06:09 PM by timg - Updated TTL Link
Changed line 36 from:
* Consider the authentication session time (TTL - Time To Live) options offered to your users. This is detailed further in the [[https://www.papercut.com/products/ng/manual/ch-printer-mgmt-popup-auth.html#table-user-client-popup-auth-config-keys|Popup Authentication configuration page of the manual]]. TTL settings are a trade-off; the shorter the time, the smaller the window of mismatch, but the greater the inconvenience to the user. There is no one-size-fits-all answer, this must be taken on a site-by-site basis.
to:
* Consider the authentication session time (TTL - Time To Live) options offered to your users. This is detailed further in the [[https://www.papercut.com/products/ng/manual/applicationserver/topics/printer-popup-auth.html#printer-popup-advanced-configuration|Popup Authentication configuration page of the manual]]. TTL settings are a trade-off; the shorter the time, the smaller the window of mismatch, but the greater the inconvenience to the user. There is no one-size-fits-all answer, this must be taken on a site-by-site basis.
Changed lines 46-48 from:
In 2012 one major university user of PaperCut in the USA was using Popup Authentication to support authentication on print jobs issued via the LPR protocol (for Unix desktop systems).  This setup had been in place successfully for 5 years with no reported problems.  The site's networking team (independent of the server team responsible for PaperCut's management) decided to make a few network infrastructure changes and turned NAT on some subnets.  The `NATing caused a subtly set of authentication issues that took a number of days to detect and diagnose.  During this time some jobs were wrongly authenticated.

to:
In 2012 one major university user of PaperCut in the USA was using Popup Authentication to support authentication on print jobs issued via the LPR protocol (for Unix desktop systems).  This setup had been in place successfully for 5 years with no reported problems.  The site's networking team (independent of the server team responsible for PaperCut's management) decided to make a few network infrastructure changes and enabled NAT for some subnets.  The `NATing caused a subtle set of authentication issues that took a number of days to detect and diagnose.  During this time some jobs were incorrectly attributed.

Changed lines 46-47 from:
In 2012 one major university user of PaperCut in the USA was using Popup Authentication to support authentication on print jobs issued via the LPR protocol (for Unix desktop systems).  This setup had been in place successfully for 5 years with no reported problems.  The site's networking team (independent of the server team responsible for PaperCut's management) decided to make a few network infrastructure changes and turned NAT on some subnets.  The NATing caused a subtly set of authentication issues that took a number of days to detect and diagnose.  During this time some jobs were wrongly authenticated.
to:
In 2012 one major university user of PaperCut in the USA was using Popup Authentication to support authentication on print jobs issued via the LPR protocol (for Unix desktop systems).  This setup had been in place successfully for 5 years with no reported problems.  The site's networking team (independent of the server team responsible for PaperCut's management) decided to make a few network infrastructure changes and turned NAT on some subnets.  The `NATing caused a subtly set of authentication issues that took a number of days to detect and diagnose.  During this time some jobs were wrongly authenticated.

Added lines 43-47:

Q: Can you give me a real-life an example of the practical difficulties associated with Popup Authentication?

In 2012 one major university user of PaperCut in the USA was using Popup Authentication to support authentication on print jobs issued via the LPR protocol (for Unix desktop systems).  This setup had been in place successfully for 5 years with no reported problems.  The site's networking team (independent of the server team responsible for PaperCut's management) decided to make a few network infrastructure changes and turned NAT on some subnets.  The NATing caused a subtly set of authentication issues that took a number of days to detect and diagnose.  During this time some jobs were wrongly authenticated.

Changed lines 3-4 from:
This article relates to Popup Authentication as outlined in the manual [[https://www.papercut.com/products/ng/manual/ch-printer-mgmt-popup-auth.html|here]].
to:
''This article relates to Popup Authentication as outlined in the manual [[https://www.papercut.com/products/ng/manual/ch-printer-mgmt-popup-auth.html|here]].''
Changed line 17 from:
# The user initiates a print job to a server-hosted, PaperCut-managed queue via unauthenticated print protocol.
to:
# The user initiates a print job to a server-hosted, PaperCut-managed, queue (printer) via unauthenticated print protocol.
Changed lines 7-8 from:
Popup Authentication is a feature in PaperCut which may be used when protocol-level authentication is not available for user print jobs. Typically Popup Authentication is not used as the primary authentication mechanism but is used to support secondary printing services such as desktops that logon under a generic username (i.e. general access `PCs in a library) or Mac systems where setting up an authenticated protocol may be beyond available system administration resources.  Popup Authentication uses IP-address matching, which is explained in more detail below.
to:
Popup Authentication is a feature in PaperCut which may be used when Protocol-Level Authentication is not available for user print jobs. Typically Popup Authentication is not used as the primary authentication mechanism but is used to support secondary printing services such as desktops that logon under a generic username (i.e. general access `PCs in a library) or Mac systems where setting up an authenticated protocol may be beyond available system administration resources.  Popup Authentication uses IP-address matching, which is explained in more detail below.
Changed lines 11-12 from:
The standard Windows print system is an example of printing using Protocol-level Authentication. Before a user is able to print, they must be authenticated into the environment (generally a Active Directory domain). Any jobs submitted to the print queue is encapsulated within this authentication as part of the transmission protocol. Due to this, the username with the print event can be trusted for the purposes of accounting and security.
to:
The standard Windows print system is an example of printing using Protocol-Level Authentication. Before a user is able to print, they must be authenticated into the environment (generally a Active Directory domain). Any jobs submitted to the print queue is encapsulated within this authentication as part of the transmission protocol. Due to this, the username with the print event can be trusted for the purposes of accounting and security.
Changed lines 22-23 from:
# Depending on configuration, the server may remember the associated between the IP address and the authenticated user for a period of time.
to:
# Depending on configuration, the server may remember the association between the IP address and the authenticated user for a period of time.
Changed lines 26-27 from:
As a general rule, Popup Authentication should only be used in low-volume, low-complexity scenarios when Protocol-Level Authentication has been a ruled out. By its design, Protocol-Level Authentication is always the most secure and hence this is the reason why it is used in Windows and authenticated protocols such as HTTP, SSH or Novell's iPrint protocol.
to:
As a general rule, Popup Authentication should only be used in low-volume, low-complexity scenarios when Protocol-Level Authentication has been ruled out. By its design, Protocol-Level Authentication is always the most secure and hence this is the reason why it is used in Windows and authenticated protocols such as HTTP, SSH or Novell's iPrint protocol.
Changed line 36 from:
* Consider the authentication session time (TTL) options offered to your users. This is detailed further in the [[https://www.papercut.com/products/ng/manual/ch-printer-mgmt-popup-auth.html#table-user-client-popup-auth-config-keys|Popup Authentication configuration page of the manual]]. TTL settings are a trade-off; the shorter the time, the smaller the window of mismatch, but the greater the inconvenience to the user. There is no one-size-fits-all answer, this must be taken on a site-by-site basis.
to:
* Consider the authentication session time (TTL - Time To Live) options offered to your users. This is detailed further in the [[https://www.papercut.com/products/ng/manual/ch-printer-mgmt-popup-auth.html#table-user-client-popup-auth-config-keys|Popup Authentication configuration page of the manual]]. TTL settings are a trade-off; the shorter the time, the smaller the window of mismatch, but the greater the inconvenience to the user. There is no one-size-fits-all answer, this must be taken on a site-by-site basis.
Changed line 40 from:
* Always reconsider your choice of Popup Authentication. Protocol-Level Authentication may become viable with change in technology, infrastructure or internal procedure changes.
to:
* Always reconsider your choice of Popup Authentication. Protocol-Level Authentication may become viable with changes in technology, infrastructure or internal procedure.
Changed lines 7-8 from:
Popup Authentication is a feature in PaperCut which may be used when protocol-level authentication is not available for user print jobs. Typically Popup Authentication is not used as the primary authentication mechanism but is used to support secondary printing services such as desktops that logon under a generic username (i.e. general access PCs in a library) or Mac systems where setting up an authenticated protocol may be beyond available system administration resources.  Popup Authentication uses IP-address matching, which is explained in more detail below.
to:
Popup Authentication is a feature in PaperCut which may be used when protocol-level authentication is not available for user print jobs. Typically Popup Authentication is not used as the primary authentication mechanism but is used to support secondary printing services such as desktops that logon under a generic username (i.e. general access `PCs in a library) or Mac systems where setting up an authenticated protocol may be beyond available system administration resources.  Popup Authentication uses IP-address matching, which is explained in more detail below.
Changed lines 32-40 from:
IP addresses changing
NAT
Configuration of appropriate TTL
Smallest practical timeout is best (0)
Resolution of hostnames (both directions)


TODO link your page here: https
://www.papercut.com/kb/Main/Miscellaneous
to:
The following is a general guide to factors your System, Network and Security team should consider when implementing Popup Authentication:

* IP address changes should be minimized
. If you are using DHCP, consider the lease time as well as the re-use rate of IP address and DNS scavenging timeouts.
* Do not use any form of NAT between the clients and print server. NAT will obscure the IP address seen by the server.
* Consider the authentication session time (TTL) options offered to your users. This is detailed further in the [[https:
//www.papercut.com/products/ng/manual/ch-printer-mgmt-popup-auth.html#table-user-client-popup-auth-config-keys|Popup Authentication configuration page of the manual]]. TTL settings are a trade-off; the shorter the time, the smaller the window of mismatch, but the greater the inconvenience to the user. There is no one-size-fits-all answer, this must be taken on a site-by-site basis.
* Ensure that hostnames can be resolved to IP addresses, both from the client and server. In some situations, hostnames may be reported instead of IP addresses, and resolution results are key to correct behaviour.
* Any machine relying on Popup Authentication must have the PaperCut client running at all times for printing from that workstation to function.
* Awareness of IP address spoofing. Large sites will often actively monitor this and/or endeavour to prevent it, as IP address spoofing is something that affects network application security in general.
* Always reconsider your choice of Popup Authentication. Protocol-Level Authentication may become viable with change in technology, infrastructure or internal procedure changes.
* Popup Authentication is not a viable solution for simultaneous multi-user systems such as Terminal Server or Citrix, as multiple users will be reported from a single IP address.

Changed line 44 from:
''Categories:'' [[Category.TODOFirstCategory|+]], [[Category.TODOSecondCategoryIfNeeded|+]]
to:
''Categories:'' [[Category.Security|+]], [[Category.UserClientTool|+]]
Changed line 46 from:
[-Keywords: TODO keywords here if needed-]
to:
[-Keywords: client authentication, popups, allow match on ip only-]
Changed line 17 from:
# User initiates a print job to a server-hosted, PaperCut-managed queue via unauthenticated print protocol.
to:
# The user initiates a print job to a server-hosted, PaperCut-managed queue via unauthenticated print protocol.
Changed lines 19-27 from:
# PaperCut uses the job's source IP address to determine the client it should contact.


Take source IP address
Find client session with that Ip address
Request credentials
Validate credentials against directory source
If valid, then user is authenticated from that IP
address
to:
# PaperCut uses the job's source IP address to determine the PaperCut popup client it should contact for authentication.
# The user is prompted to enter their username and password, which are then verified against PaperCut's configured directory source. If the credentials are correct, the user is considered authenticated at that client.
# The print job is attributed to the authenticated user.
# Depending on configuration, the server may remember the associated between the IP
address and the authenticated user for a period of time.

Q: When should Popup Authentication be used?

As a general rule, Popup Authentication should only be used in low-volume, low-complexity scenarios when Protocol-Level Authentication has been a ruled out. By its design, Protocol-Level Authentication is always the most secure and hence this is the reason why it is used in Windows and authenticated protocols such as HTTP, SSH or Novell's iPrint protocol.

A good example of a situation where Protocol-Level Authentication is not ideal would be a public-access PC in a library set to auto-logon as the insecure, generic account "public". In this case the Protocol-Level Authentication is passing through the insecure user of "public". PaperCut's client software and IP address authentication can overlay these insecure user credentials and request authentication from the user at the time of print via a popup.

Q: What do I need to know when implementing Popup Authentication?

IP addresses changing
NAT
Configuration of appropriate TTL
Smallest practical timeout is best (0)
Resolution of hostnames (both directions)

Added lines 1-33:
(:title Considerations When Using Popup Authentication:)

This article relates to Popup Authentication as outlined in the manual [[https://www.papercut.com/products/ng/manual/ch-printer-mgmt-popup-auth.html|here]].

Q: What is Popup Authentication?

Popup Authentication is a feature in PaperCut which may be used when protocol-level authentication is not available for user print jobs. Typically Popup Authentication is not used as the primary authentication mechanism but is used to support secondary printing services such as desktops that logon under a generic username (i.e. general access PCs in a library) or Mac systems where setting up an authenticated protocol may be beyond available system administration resources.  Popup Authentication uses IP-address matching, which is explained in more detail below.

Q: What is Protocol-Level Authentication?

The standard Windows print system is an example of printing using Protocol-level Authentication. Before a user is able to print, they must be authenticated into the environment (generally a Active Directory domain). Any jobs submitted to the print queue is encapsulated within this authentication as part of the transmission protocol. Due to this, the username with the print event can be trusted for the purposes of accounting and security.

Q: How does Popup Authentication work?

Popup Authentication matches the source IP address of the print job with the user confirmed to be operating from the popup client IP address. The workflow is as follows:

# User initiates a print job to a server-hosted, PaperCut-managed queue via unauthenticated print protocol.
# The print job arrives in the print queue and because of the unauthenticated protocol, the username cannot be trusted.
# PaperCut uses the job's source IP address to determine the client it should contact.


Take source IP address
Find client session with that Ip address
Request credentials
Validate credentials against directory source
If valid, then user is authenticated from that IP address

TODO link your page here: https://www.papercut.com/kb/Main/Miscellaneous

----
''Categories:'' [[Category.TODOFirstCategory|+]], [[Category.TODOSecondCategoryIfNeeded|+]]
----
[-Keywords: TODO keywords here if needed-]

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on July 27, 2016, at 06:09 PM
Printable View   |   Article History   |   Edit Article