6

We have a network-wide CUPS server that offers authenticated printer access to all our campus users. We've been pretty disappointed with the way Mac clients handle bad printing authentication, though.

In any other authentication dialog, when a user types in a bad username or password, the window shakes briefly, allowing the user to re-enter. With printers, this isn't the case. It'll happily accept (and even save to the keychain, if specified) bad credentials. The authentication dialog is dismissed, and the user then has to deal with the print jobs showing up as "On hold (authentication required)". To get their job printed, they need to select it in the printer's queue, click "Resume", then re-enter appropriate credentials.

Is there a way to get failed printing authentication to work more intuitively for Mac OS X clients?

We're trying to support a BYOD environment, but our end users have been really confused by this. It's made even worse by the way it pre-populates the user's full login name (e.g. "Smith, John"), which tends to make them think to use their local machine passwords.

Moduspwnens
  • 747
  • 1
  • 7
  • 17
  • What about server-side? Can you check/alert on authentication errors? – gravyface Sep 05 '12 at 01:48
  • Unfortunately with BYOD, I find that unless the device is only going to use known working, public knowledge/layman's resources (like adding a mail account to an iPad, and even that requires IT intervention 7/10 times), you really have no hope to manage it without getting your hands dirty. – gravyface Sep 05 '12 at 02:12
  • @gravyface Server-side, we see repeated failed authentication attempts (about once each second) from any machine sitting in the limbo of "bad credentials accepted" and "On hold (authentication required)". From the logs, I can see their IP address, but that's about it. I understand we can't expect everything to work cleanly and intuitively with BYOD, but in this case it really seems like if authentication failure worked like it does in other areas of OS X (prompts user again), that'd be acceptable. – Moduspwnens Sep 05 '12 at 03:17

1 Answers1

2

I don't know of a way to get the Mac to behave/respond differently natively, but you may have better luck writing a printer setup script that uses lpadmin where you can specify the printer/printer path as well as credentials. You could attempt to authenticate with lpadmin (and -o auth-info-required=username,password); not sure if there's any feedback to stdout when that commands executed though, and it also has to be run with sudo.

You can disable the pre-population (in OS X 10.5+ I believe) with:

defaults write /Library/Preferences/com.apple.NetworkAuthorization UseShortName -bool YES

defaults write /Library/Preferences/com.apple.NetworkAuthorization UseDefaultName -bool NO

This alone may reduce the number of incorrect authentication attempts along with clear documentation on what credentials to use (I usually phrase it like, "use the same network username and password you use on your Windows computer at the office").

gravyface
  • 13,947
  • 16
  • 65
  • 100
  • When adding printers through our print server on a fresh Mac, the "auth-info-required" part is already configured. Users are immediately prompted for authentication when they print, it just isn't intuitive when they use their local credentials and the authentication fails. – Moduspwnens Sep 05 '12 at 03:05
  • That defaults command helps, but again, our primary problem is that it's confusing to users who bring their own device, and we're moving away from the idea of having to touch/image/configure the machines being issued to students anyway. I think if the authentication box would just "shake" and let them re-enter credentials, that'd be acceptable. As of right now, though, it accepts the credentials and then leads to a help desk call. – Moduspwnens Sep 05 '12 at 03:10