Enable Hybrid AD/AAD Environment on Universal Print

Applies To: Windows Server 2016

Background

This information is intended to help you decide whether enabling hybrid AD configuration is the right choice for your organization.

What is a hybrid AD configuration?

A hybrid AD configuration is a setup where the organization uses both AD as well as Azure AD. In such an environment, a user account exists in both of these directory services.

What does “Enable hybrid AD configuration” mean?

The Universal Print connector runs as Windows service on the PC where it is installed. One of the connector functions is to retrieve print jobs from Universal Print and send them to the target printer. The connector uses the “System” account to submit print jobs to the spooler. Therefore, although the Universal Print portal will show the Azure AD username who submitted a print job, every print job printed using Universal Print will show up in the Windows printer queue on the connector as submitted by the user “System”.

Some legacy print management applications, that rely on Active Directory domains, read the username from the spooler queue and use that information to perform some function (e.g. deduct the print job from a user’s monthly printing quota). Until these applications are updated to work more seamlessly with Universal Print, they will not be able to obtain the identity of the user who originated a print job.

When the “Enable hybrid AD configuration” option is turned on in the Universal Print connector, the connector attempts to map the Azure AD user identity to a corresponding local AD domain user identity. If a matching identity is found, the connector service then impersonates that user’s domain identity before submitting the print job to the spooler on their behalf. In that case, the domain username of the user who originated the print job will show up in the spooler queue on the connector PC allowing legacy applications to read it.

Pre-requisites

There are a number of subscriptions, services and computers you'll need to acquire before starting this installation. They are as follows:

Deployment steps

The steps below would enable you to setup a typical Universal Print deployment required for enabling Hybrid AD/AAD Environment.

Step 1 - Install Azure AD Connect

  1. Azure AD connect synchronizes Azure AD to on-premises AD. On the Windows Server machine with Active Directory, download and install the Azure AD Connect software with express settings. See Getting started with Azure AD Connect using express settings.

Step 2 - Install Application Proxy

Note: Skip this step if the print server is already AzureAD joined.

Application proxy allows users in your organization to access on-premise applications from the cloud. Install Application Proxy on the Connector Server.

Step 3 - Setup the Print Server

  1. Make sure the Print Server has all the available Windows Update installed (Update the server before proceeding ahead).

    Note: Server 2019 must be patched to build 17763.165 or later.

    On the Windows Server machine which acts as a print server, we would need to install the Print Server Role.

    Print Server Roles

  2. To ensure that the local AD maps with the AAD accounts, the Windows Server that acts as Print Server must be Hybrid Joined/Azure Joined. See Universal Print Setup to ensure that all the steps are completed. In short,

Step 4 - Setup Directory Sync of Local AD with Azure AD

The users or groups must exist in on-premises Active Directory and synchronized with Azure AD. If the solution is deployed to a non-routable domain (e.g. mydomain.local), the Azure AD domain (e.g. domainname.onmicrosoft.com, or one purchased from third-party vendor) needs to be added as a UPN suffix to on-premises Active Directory. This is so the exact same user who will be publishing printers (e.g. admin@domainname.onmicrosoft.com). See Prepare a non-routable domain for directory synchronization to ensure the local domain is added and synced.

Note: This is an important step as it is the basic requirement for a complete setup. The local AD user must have same username on the synced AAD account.
Example: domain/user1 should translate to user1@AADDomain.com

Once the sync takes place (default synchronization frequency is 30 minutes), you can verify the AD users are synced on the administrative portal. Under Azure Active Directory, select the users tab and a list of all users would appear. It would be easy to verify if a user is directory synced in that list. Details of a user should show that the source is Windows Server AD.

User is Directory Synced

Step 5 - Enabling the hybrid AD/AAD support on Universal Print Connector

On the Print Server where the connector is installed, there must be a toggle button on the top right corner of the application.

  • Select the on radio button for Enable hybrid AD configuration option on the connector.

Enable Hybrid AD configuration

Verify the deployment

Verifying that the deployment would be by sending a test print job to the Print server using your AAD credentials on a AD joined client machine.

The machine must be AAD joined with the same account that it is linked with during the sync step. Go to Settings > Accounts > Email & Accounts. Click on Add a work or school account and login using the credentials to add the AAD account to the client machine.

Steps to submit a test print to verify the deployment are below:

  • Add a printer and print a test page
  • Once you notice a print job queued in the print queue, the print server under the folder C:/prints should have a test print file appear in the name printerName.pdf.
  • If this file appears, you can check if the mapping has successfully occurred by checking the event logs in the path mentioned in the Troubleshooting section for Print Server logs.

Troubleshooting

Below are common issues encountered during deployment:

Error Recommended Steps
The request to add or remove features on the specified server failed Ensure Windows Server has the latest update by checking for updates on the server.
Check if server is Domain and Azure joined Run dsregcmd on command prompt and check if AzureADJoined and DomainJoined are set to "YES" state.
Print jobs stay in Sent to printer state
  • Ensure TLS 1.2 is enabled on the connector server. See the linked article in Step 2.
  • Ensure HTTP2 is disabled on the connector server. See the linked article in Step 2.
  • Print jobs show as "Aborted" in the portal. Print Connector event log shows Event 27 "Failed to impersonate <user> for job <id>, followed by Event 9 "PrintJob failed System.Security.SecurityException: The user name or password is incorrect...". Check that the computer account is a member of the "Windows Authorization Access Group" as described here - Apps and APIs require access.

    For more trouble shooting help related to Universal Print, see Universal Print troubleshooting guide.

    Below are locations of logs that can help troubleshooting:

    Component Log location
    Windows 10 Client
  • Use Event Viewer to see log of Azure AD operations. Click on Start and type Event Viewer. Navigate to Applications and Services Logs > Microsoft > Windows > AAD > Operation.
  • Use Feedback Hub to collect logs. See Send feedback to Microsoft with the Feedback Hub app
  • Print Server Use Event Viewer to see log of Print Connector. Click on Start and type Event Viewer. Navigate to Applications and Services Logs > Microsoft > Windows > PrintConnector > Operational.