Importing users & groups from Microsoft Entra ID (formerly called Azure Active Directory) is becoming a more and more popular method of managing users in PaperCut NG/MF as businesses shift infrastructure to the cloud.
The manual page
Synchronize user and group details with standard Azure AD
discusses how to set up PaperCut to synchronize with users in Microsoft’s cloud, and in this article we discuss some of the issues that customers have raised with us when using this sync method.
Zero Users and Groups Synchronized
One issue that gets reported is that after following the setup instructions, the sync appears to be successful with no errors even though no users or groups are imported from Microsoft Entra ID.
When this happens you may also see this error in the server.log file on the PaperCut server: “AADUserDirectory - Error getting response Forbidden (User synchronization).”
This may also be accompanied by two more errors in the server.log file:
- “AADUserDirectory - Error getting response Forbidden”
- “AADUserDirectory - Failed getting all users details”
These errors are due to the API Permissions on the Microsoft Entra ID Application Registration. The correct configuration for these permissions is outlined here: Step 2: Give your application permissions to read users and groups
In particular, when setting User.Read permissions, be sure you are selecting Microsoft Graph → Delegated Permissions and not “Application Permissions” by mistake. Per Step 2 , make sure the permissions are correctly set, then attempt the sync again.
Error contacting Azure/Entra ID
When applying Microsoft Entra ID Sync credentials (Tenant ID, App ID, Client Secret Value), or when hitting the Synchronize Now button, you may be presented with the message: “There was an error contacting Azure using the details provided. Please check all values are correct and try again.”
Along with the above application-level error, you may also see the below error posted in the server.log file; “ERROR AADUserDirectory - No access token received from url: https://login.microsoftonline.com/..."
We see this error because Microsoft Entra ID is rejecting the values that have been set for the Tenant ID, App ID, or the Client Secret Value. Please ensure that all three of these values are correct and correspond with the Tenant and Application Registration you are attempting to connect to.
Entra ID usernames don’t match print job owner usernames
One challenge with Microsoft Entra ID sync is that the username which gets synced into PaperCut may not precisely match the format of username on the workstation.
The outcome of this mismatch is that print jobs might be canceled or users may not see their print job to release.
Thankfully this issue and the solutions are documented in detail in our article Preparing to use UPN usernames with PaperCut when syncing with the standard Azure AD sync method .
Error AADSTS50076 or AADSTS50079 when users authenticate
You might see either error message AADSTS50076 or AADSTS50079 returned from Microsoft when users try to log in to PaperCut. This happens when logging in with username and password, using Microsoft Entra ID sync, and two-factor authentication (also called multi-factor authentication) has been enabled.
The full error message might look similar to this:
2024-05-23 10:33:45,239 INFO PrintJobAuthorizationController - Invalid authentication: [Invalid username or password., AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'. Trace ID: 4d355636-ebbc-4171-918a-46e528953e00 Correlation ID: 20c15871-a571-4fb3-af80-27798b46c096 Timestamp: 2024-05-23 14:33:45Z] [http-31]
The most up-to-date versions of PaperCut NG and MF do support two-factor authentication for logging into all web-based authentication pages (admin and web applications, Mobile Release web client, and Web accessibility user client) as well as the PaperCut user client. But you may still see this error message in the logs in some unsupported scenarios, such as when a user attempts to log into a copier with a username and password.
For more details on versions, requirements, and what is and isn’t supported see Considerations when using ‘standard’ Microsoft Entra ID (Azure AD) with MFA .
Prior to version 23.0.1, two-factor authentication was not supported for user logins. Our advice then was to configure your security policy to exclude two-factor authentication for the PaperCut Application Server app, or the PaperCut app server device when applying conditional policies at the machine level.
Comments