Using Windows Authentication with Microsoft SQL Server

By default PaperCut can use SQL authentication by configuring the database username and password in the PaperCut server.properties file. This is discussed in the manual here. The server.properties file is secured by only being accessible by Administrator users.

Some customers prefer to make use of the Windows Authentication features of SQL Server. This allows PaperCut to automatically login/connect to the database using the credentials of the user the “PaperCut Application Server” is running as. This avoids the need to store the username/password in the server.properties file.

To use Windows Authentication with SQL server some additional configuration is required.

1. Configure PaperCut to use SQL Server

It is generally recommended to configure PaperCut to first use SQL Server authentication and confirm everything is working before moving to use “Windows Authentication”. The Windows Authentication is more complicated to setup, so it’s good to get things working first with SQL Authentication.

To do this follow the upsizing guide in the PaperCut manual.

After completing this you should have PaperCut running using the SQL Server database.

2. Running the PaperCut Application Server as a non-system account

By default the PaperCut Application Server runs as the SYSTEM account. You need to change PaperCut to run under a user account that is granted permissions to the SQL Server database.

2.1. Create a domain user account to run the PaperCut Application Server service. It is recommended to name the user something like “papercut_svc”. Ensure that the user is configured so their password never expires. Also ensure that the user has local administrator privileges on the server running PaperCut.

2.2. Change the PaperCut Application Server service to run as the “papercut_svc” user. To do this select the “PaperCut Application Server” service in the Windows service tool (Control Panel→Admin Tools→Services), then right-click and select ‘Properties’. On the “Logon” tab enter the username/password of the new papercut user. Press ‘OK’ to apply the changes.

2.3. Restart the PaperCut Application Server service using the service control panel. Wait for the service to start and test that PaperCut is operating correctly by logging into the admin interface.

3. SQL Server configuration

SQL Server must first be configured to allow Windows authentication. This is configured within the SQL Server administration tools.

You will also need to grant the “papercut_svc” user full access to the PaperCut database (e.g. full access to read/updated tables and also to create and drop database tables.

4. Configure PaperCut for SQL Server Windows authentication

NOTE: you may need other string parameters discussed in Step 5: Change the PaperCut NG/MF connection details.

4.1. Open the PaperCut [app-path]\server\server.properties file in a text editor.

The connection string will need to be updated to enable Windows authentication. Add ;integratedSecurity=true to the connection string:

For example an updated string might look like the below (yours may have different parameters based on your SQL Server configuration and organization’s requirements): jdbc:sqlserver://[server][:port];databaseName=[database];socketTimeout=600000;integratedSecurity=true

then remove the username (and password). If the username is not blank, “SQL Server” authentication will be used instead. Edit the server.properties file so that database.username is empty. E.g.: database.username=

4.2. Save the configuration file.

4.3. Restart the service PaperCut Application Server using the service control panel (Control Panel→Admin Tools→Services).

4.4. Test that PaperCut is working correctly by logging into the PaperCut admin interface.