Desktop and laptop workstations based on the Windows or Mac OS can install a traditional iPrint client to facilitate printing to printers managed by iPrint Appliance, as well as those managed by traditional Novell Open Enterprise Server (OES) iPrint servers.
Printers managed by iPrint Appliance, as well as those managed by traditional OES print servers, can be configured as “Public” or “Secure.” When a traditional iPrint client attempts to send a print job to a “secure” printer, iPrint Appliance (or OES iPrint server) requires the traditional iPrint client to authenticate. This authentication is performed either through a single sign-on experience or manually.
Manual Authentication: Manual authentication is invoked when the single sign-on experience fails. When manual authentication is required, the iPrint client presents a login dialog where users can supply their iPrint credentials (user name and password).
Single Sign-on Experience: The iPrint authentication single sign-on experience is associated with a base client OS authentication into an authentication realm, such as when a Windows client logs in to an Active Directory domain. When the login is successful, Windows passes three data fields (associated with the successful login) to the iPrint client running on the workstation. This includes the authentication realm, the user name, and the password. The iPrint client caches this information in anticipation of using it to facilitate a single sign-on experience when authenticating with iPrint servers (including the OES iPrint server and iPrint Appliance).
When a traditional iPrint client attempts to send a print job to a secure iPrint managed printer, the iPrint server (including the OES iPrint server and iPrint Appliance) sends an authentication challenge back to the iPrint client. This challenge request includes a string that specifies an authentication realm. If the authentication challenge indicates an iPrint authentication realm that matches the realm cached by the iPrint client, the associated (cached) user name and password are used to respond to the iPrint server's authentication challenge.
If the appliance-specified authentication realm does not match the authentication realm cached by the iPrint client, or if the associated user name and password fail the authentication challenge, then the iPrint client reverts to manual authentication.
The iPrint Appliance administrator can set the iPrint authentication realm (string) of the appliance. This authentication realm is sent to traditional iPrint client workstations with authentication challenges.
The iPrint authentication realm field is a string of characters. Traditionally, it is composed of uppercase letters, numbers, underscore, and dash characters. When setting this value on iPrint Appliance, consider the following:
Mobile clients that implement printing with AirPrint, IPP printing (via the mobile client), or email based printing do not require association with an iPrint authentication realm. If the iPrint Appliance only services mobile clients, the value specified for the iPrint authentication realm is irrelevant. In this case, we suggest that the iPrint authentication realm value be set to a short string that is unique to the installation instance, such as a company name, followed by a unique internal instance identifier. For example:
MYCOMPANY_IPRINT_VA_001
For traditional Windows Active Directory or iPrint clients to take advantage of the single sign-on experience, the following conditions must be met:
Clients must be associated with a specific Active Directory realm.
The client’s Active Directory credentials (realm, user name, and password) must match their iPrint Appliance credentials.
The client must have the iPrint Appliance address set as the primary PSM address, using the command iprntcmd -S <iPrintAppliance IP Address>.
In order to support traditional Windows Active Directory (fixed) iPrint clients, the iPrint Appliance administrator should set the iPrint authentication realm field to match the Active Directory realm.
The realm string used by workstations that authenticate using the (OES) Novell Client is the associated eDirectory tree name.
In situations where Novell OES iPrint products have been implemented before installing an iPrint Appliance, an iPrint authentication realm might have already been established for legacy iPrint clients. The iPrint Appliance administrator can use the previously established iPrint authentication realm, and also the same user names and passwords for iPrint Appliance. When configured clients migrate between iPrint environments, the single sign-on experience continues (uninterrupted) in both the OES iPrint environment, and in the iPrint Appliance environment.