“As a developer or integrator of a public kiosk access solution, is there a way for my app to integrate with PaperCut so users need not enter their credentials to be able to print?”
Can you integrate the PaperCut Client with a Public Kiosk solution?
Many libraries, schools, and other organizations have solutions to manage access to shared computers or public kiosks (using software like MyPC, which we’re proud to say was developed by one of our partners, ITS).
PaperCut can integrate with these solutions so that users need only to log in once to get access to the full suite of PaperCut features, as we describe in this blog post.
Without PaperCut, if a user (for example
melvil.dewey) signs into a kiosk using their library card number and then prints a document, most print management solutions would incorrectly assign the print job to the account signed into the workstation OS, (for example
lab-guest05). Not ideal.
One solution is to run the PaperCut User Client on the workstation with the guest account configured in PaperCut for Unauthenticated Printing (aka Pop-Up Authentication). When a user hits ‘print’, they’ll see an authentication prompt from the PaperCut Client which will confirm their identity. This solution works great for most organizations, however users have to authenticate twice (first when logging into the kiosk, and then again when they print by entering their credentials through the pop up PaperCut Client) which is not ideal.
Thankfully, there is another solution which makes life even easier for users. If the user is identified on the kiosk, it’s possible for the computer access solution to pass the user’s identity to the PaperCut client using a feature we call PaperCut Client Pre-authentication.
How to setup PaperCut Client Pre-authentication
To get this working there are a few prerequisites…
- The workstation must be administered by your organization.
- The admin must be able to setup login scripts that run as a privileged user, and copy files to a location that only a privileged user can access.
- You’ll need to have a solid understanding of your workstation login process or Desktop manager (e.g. GDM scripts) to leverage this configuration.
- Log onto the server running PaperCut and browse to the Shared Secret file, found at
[app-path]/server/data/pc-shared-secret.dat. (On a 64-bit Windows server running PaperCut MF, this path would be
C:\Program Files\PaperCut MF\server\data\pc-shared-secret.dat.)
- Copy the shared-secret file from the server to a directory on the workstation. The permissions on this file should be set so that end users will not be able to access it.
- The kiosk must be configured so that when the user is identified by the computer access software, the PaperCut client will launch automatically as a user with sufficient permissions to access the shared-secret file. The “—pre-authenticate” parameter and path to the shared-secret file should be specified as shown in the example below. The client will start and then exit immediately after contacting the PaperCut server.
- Linux Terminal:
pc-client-linux.sh –-pre-authenticate –-user $username –-shared-secret-file ”/path/to/secure/shared-secret”
- Windows PowerShell:
”C:\Program Files\PaperCut MF\client\win\pc-client.exe” –-pre-authenticate –-user $UserName –-shared-secret-file ”C:\path\to\secure\shared-secret”
- Then launch the PaperCut Client again, this time with the same privileges as the current workstation user, and with the following options:
- Linux Terminal:
pc-client-linux.sh –-use-pre-authentication –-user $username
- Windows PowerShell:
”C:\Program Files\PaperCut MF\client\win\pc-client.exe” –-use-pre-authentication –-user $UserName
- In the PaperCut admin interface enable “Unauthenticated Printing” for the guest user account or the printer. Once this is done, the jobs should be correctly tracked as the identified user without any need for pop up authentication.