Available in PaperCut NG and PaperCut MF.

About authentication and printing

What is authentication?

Authentication in a printing environment is the act of confirming the digital identity of the person who issued a print job. Knowledge of the user's identity allows PaperCut NG/MF to offer the user access to functions such as allocating the cost of a job to their account, or offering them access to shared accounts. In a Windows domain environment, authentication is handled at the point of login using a username and password. A web-of-trust is then established between servers and services.

Why does authentication pose a problem?

By default PaperCut NG/MF assumes the printer queues are authenticated and trusts the username that is associated with the print job. It is this user is charged for for the printing. On fully authenticated networks (like 100% Windows Active Directory networks), PaperCut NG/MF can trust the username associated with the job. There are a few common scenarios where authentication is not as simple:

  1. Generic, common, or shared user accounts. (e.g. generic "student" login).

  2. Systems that auto-login as a set user.

  3. Unauthenticated print queues or print protocols (e.g. LPRThe Line Printer Remote protocol (LPR) is a network protocol for submitting print jobs to a remote printer. A server for the LPD/LPR protocol listens for requests on TCP port 515. A request begins with a byte containing the request code, followed by the arguments to the request, and is terminated by an ASCII LF character. An LPD printer is identified by the IP address of the server machine and the queue name on that machine. Many different queue names may exist in one LPD server, with each queue having unique settings. The LPR software is installed on the client device.).

  4. Users' personal laptops that are not authenticated on the network.

Generic or shared login accounts are seen in some computer lab and network environments. In these environments administrators ask users to log in to selected systems using standard user names such as "student" or "user". This practice is particularly common on the Apple Mac operating system as a single login helps streamline system and application management. The use of the Window auto-login feature also poses a similar problem - authentication is not enforced at the time of system startup. An extra layer of authentication is required on these systems to correctly identify the person that performs printing.

Unauthenticated print queues also pose problems in cross platform environments. In an ideal world, all computers would talk the same protocols and happily work together in a single centrally authenticated environment. You can come close to this goal in a 100% Microsoft Windows environment, however, if you mix in Unix, Linux and Mac, it's a different story. Although initiatives such as CUPSCommon User Printing System (CUPS) is a printing system for Unix operating systems that allows a computer to act as a print server. A computer running CUPS is a host that can accept print jobs from client computers, process them, and send them to the appropriate printer. (Common Unix Printing System) and the Internet Printing Protocol (IPPThe Internet Printing Protocol (IPP) is an Internet protocol for communication between a print server and its clients. It allows clients to send one or more print jobs to the server and perform administration such as querying the status of a printer, obtaining the status of print jobs, or cancelling individual print jobs. IPP can run locally or over the Internet. Unlike other printing protocols, IPP also supports access control, authentication, and encryption, making it a much more capable and secure printing mechanism than older ones.) offer some hope, unification in the area of authenticated printing is still some way off. Unfortunately technical reasons often prevent networks from using CUPS authentication or exclusively using the authenticated Microsoft printing protocol.

The use of personal laptops or other unauthenticated workstations in an otherwise authenticated network is another cause of problems. These machines might not be able to authenticate to your network for a number of reasons:

  • The operating system does not support authentication (like Windows Home editions).

  • It is too complex to configure authentication on personal laptops.

  • Users log in to their laptop with their personnally chosen username and password.

  • You cannot force users to change the configuration of their personal laptops.

How does PaperCut NG/MF address authentication?

If technical reasons prevent authentication at the print queueA print queue displays information about documents that are waiting to be printed, such as the printing status, document owner, and number of pages to print. You can use the print queue to view, pause, resume, restart, and cancel print jobs. level, PaperCut NG/MF provides a number of alternate authentication options. These options change PaperCut NG/MF's default behavior of trusting the username associated with a print jobs, and instead the user is required to re-authenticate before the job is printed. The two alternate authentication options are described below.

Popup authentication (IP session based authentication)

This method involves associating the workstation's IP address with a user for a specified period of time - a session. Any print jobs arriving from this IP address are deemed to be associated with this user. Authentication is provided by the PaperCut NG/MF client software in the form of a popup dialog requesting a username and password. Data is transmitted to the server via an SSLSecure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. To be able to create an SSL connection a web server requires an SSL certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key. encrypted connection. To print with popup authenticationPopup authentication involves matching the source IP address of the print job with the user confirmed to be operating from the popup client IP address. Authentication is provided by the PaperCut NG client software in the form of a popup dialog requesting a username and password. To print with popup authentication the client software must be running on the workstations or laptops. the client software must be running on the workstations or laptops.

Use popup authentication to:

  • Authenticate users who print from a generic login or auto-login account. This is done by flagging the generic account as unauthenticated in PaperCut NG/MF.

  • Authenticate users not authenticated to the network (e.g. personal laptop users). This is done by marking the print queues as unauthenticated in PaperCut NG/MF.

For more information, see Popup authentication.

Web Print

Web PrintWeb Print enables printing from user-owned devices without the need to install printer drivers and manage server authentication. is a service for printing documents that are uploaded via a web browser. This provides a simple way to enable printing for laptop, wireless, and anonymous users without installing print drivers.

With Web Print users are authenticated when they log in to the PaperCut NG/MF user web interface. Any documents they upload can then be tracked against their user name.

For more information, see Web Print (driver-less printing via a web browser).

Release Station authentication

Release Stations work by placing print jobs in a holding queue. Users must authenticate at a Release StationPrint Release Stations place a print job on hold and allow users to release it when required. Often a Release Station is a dedicated PC terminal located next to the printers, however, Release Stations can take other forms such as a web browser based interface. Some common examples where Release Stations can be used include secure printing, approved printing, and authentication. In a secure printing environment jobs are only printed when the user arrives at the print area and confirms his or her identity. This ensures the user is there to collect the job and other users can't "accidentally" collect the document. In some organizations it may be appropriate to hold jobs until they are approved by selected individuals. A good example would be a teacher approving printing on an expensive color printer. Hold/Release queues can be used as a form of authentication in an unauthenticated environment. Users must authenticate prior to releasing their jobs allowing PaperCut NG to confirm their identity. before being given access to release their job. A Release Station normally takes the form of a dedicated terminal located next to the printer(s), however, the holding queue can also be accessed via a web browser. The act of a user releasing a job causes it to be charged to their account. You can use Release Stations without installing the client software on user's workstations.

The hold/release queues are enabled on a printer queue level within PaperCut NG/MF

For more information on setting up and using Release Stations, see Secure print release. To achieve authentication, the Release Station is run in "release any" mode.

Choosing the right authentication option for your network

The choice of the authentication approach depends on the constraints of your network and your requirements. Below are some points to consider when making this decision:

  • Popup authentication: Usually the most user-friendly option, but it requires the client software to be installed and running on all workstations that print. In some environments it is not possible to mandate that software be installed on personal laptops.

  • Release Station Authentication: Users do not need any additional software installed but the process of releasing a print job is more involved. You must install Standard Release Stations nearby all your printers, or make use of the User web interface Release Station. If you are already using hold/release queues, then it makes sense to also use them for authentication.

Handling partially authenticated networks

Many sites have a heterogenous network with a mix of both authenticated an unauthenticated printing. A common example, is a college where all lab computers are connected to the domain and users must log in to the workstations to print. The college also allows students to print using their personal laptops that are not authenticated on the network.

An administrator can enable PaperCut NG/MF authentication for all users. This is the simplest to set up but is inconvenient for users who are already fully authenticated. Why should an authenticated user have to re-authenticate with PaperCut NG/MF to print?

To overcome this it is recommended to set up two sets of print queues, one for the authenticated users and another for the unauthenticated users. These queues can point to the same physical printers, but are configured differently in both PaperCut NG/MF and the operating system. The authenticated print queues:

  • Must only be accessible to authenticated users (i.e. through network security or operating system permissions).

  • Should not have the authentication enabled within PaperCut NG/MF (i.e. do not enable the hold/release queue or unauthenticated printer options on the print queue).

  • Should not be published to unauthenticated users.

The unauthenticated print queues:

  • Must be configured to allow printing by unauthenticated users.

  • Must have the authentication enabled within PaperCut NG/MF. i.e. Enable the hold/release queue or flag the printer as unauthenticated.

  • Must be published to anonymous users so they know how to connect/user the printers.

If the decision as been made to split up printers into two separate queues (authenticated and unauthenticated), administrators can use tools such as IP address filtering, firewalls, or user/group access permissions to control who has access to which set of queues (i.e. deny "guest" account access on authenticated queues in Windows).

For a detailed explanation of setting up PaperCut NG/MF for unauthenticated laptop printing see Handling unauthenticated (non-domain) laptops

For discussion of many other authentication scenarios see The authentication cookbook - recipes by example