This article provides detailed information about how AppleShare IP 6.0 Print Server security works.

The security implementation in ASIP 6.0 is a 'casual' security measure. It simply checks authorization to print to the print queue.

The security feature of ASIP Print server WILL:

• match the user name in the print job with the list of authorized print users.
• check AppleTalk printing and LPR printing.
• use the Web & File Server Users and Groups database.

• encrypt data
• check against the computer's name
• check against the computer's hardware address, AppleTalk address, or IP address
• affect behavior (i.e.: you cannot change priority or switch queues based on user name)

When you print using a Postscript driver such as the LaserWriter 8 driver, a PostScript print job is created. The beginning of each print job contains certain information about the print job. These comments are defined by Adobe as part of the Document Structuring Convention (DSC) for the PostScript language. Here is an example of the beginning of a LaserWriter 8.5.1 print job:

%!PS-Adobe-3.0
%%Title: (security.htm)
%%Creator: (Claris Home Page 3.0: LaserWriter 8 8.5.1)
%%CreationDate: (2:32 PM Thursday, May 28, 1998)
%%For: (Raines, Claude)
%%Pages: 1
%%DocumentFonts: Times-Bold Times-Roman
%%DocumentNeededFonts: Times-Bold Times-Roman
%%DocumentSuppliedFonts:
%%DocumentData: Clean7Bit
%%PageOrder: Special
%%Orientation: Portrait
%%DocumentMedia: Default 612 793 0 () ()
%ADO_ImageableArea: 8 11 603 782
%%EndComments

When security is enabled, the print server looks at the print data for the first instance of "%%For:" (There may be more than one in the print job). The LaserWriter 8 driver fills in the "%%For:" comment with the Owner Name in the File Sharing control panel. Other operating systems usually use a login name.

The Print Server reads the name after the "%%For:" and tries to match it in the authorized list of users for that print queue. If there is a match, the job may continue. If there is not a match, the print request will be refused.

Since the security checking is done by looking at the PostScript data itself, this security method works the same way for both AppleTalk and LPR printing.

Known Issues

Security doesn't work when printing from Windows NT.

Security may not work with some PostScript printer drivers, operating systems.

The Windows NT PostScript driver does not include the "%%For:" DSC comment. Since the security mechanism doesn't include a name to match with the list of authorized users, it refuses the connection. A security violation will appear in the Print Server log.

Any PostScript printer driver/operating system that does not include the "%%For:" DSC comment will have this issue. The error message may vary from OS to OS.

Identification: Print to file. Open the file in a text editor. Look for a line that starts with "%%For:".

Solution :

Turn off security or find a driver that includes the "%%For:" DSC comment.

Security follows the data, not the user.

The name in the "%%For:" comment is determined at the time the PostScript data is generated, not at the time the PostScript data is sent to the printer.

Scenario: Person #1 prints to a file and hands the file to person #2. Person #2 sends the job to a secured ASIP print queue. ASIP will check security against person #1, not against person #2, because the PostScript file has person #1's name.

Solution :

Turn off security or open the file in a text editor and change the name.

The Apple Printer Utility does not work with security activated

The Apple Printer Utility does not follow the DSC standard. The connection is refused as soon as you try to open the print queue in APU.

Solution :

The main reason to use APU on a print queue is to download a PostScript file. In LaserWriter 8.5.1, you can now drop PostScript files on the desktop printer icon.