This article provides an explanation and work around when, in a very specific situation, the Web Printing user authentication will fail when the user has to enter the password manually.
When the system is set to have the user enter the password for Windows Authentication and the user enters a correct AD password, he still gets the UMSS Error ‘Invalid user name or password’.
How Windows Authentication (by Default) Works
When the TEKLYNX CENTRAL system is set to use Windows Authentication with the default configuration, (without prompting the user to enter a password), it checks the UMSS database for a matching User ID. If the User ID is found, it then grants user the access to the Web Printing Interface.
What Changes When ‘Windows Authentication Password Prompt’ Option is Selected
When the Windows Authentication password prompt option is selected, the system will take the password that the user entered and send it to AD for verification. If AD returns any errors, the system considers it as failed authentication and presents the user with the error message – ‘UMSS Error. Invalid user name or password‘.
Why It Fails
The ‘UMSS Error. Invalid user name or password.’ error message appears because the user attempting to log in does not have enough rights in Active Directory on the server that is hosting TEKLYNX CENTRAL.
When we looked deeper into the situation, Active Directory is sending to TEKLYNX CENTRAL an error message #1385 (The user has not been granted the requested logon type at this computer). The error indicates that the user cannot login to the server because he/she has not been granted the proper permissions on the server (this has nothing to do with access into TEKLYNX CENTRAL). However, the TC authentication that the system does was meant to check the validity of the user account/password for TC NOT for general Windows access to the server itself.
In the current state (TC v4.6), the user credentials entered must provide sufficient permissions in the server in Active Directory. The workaround is to add the user or user group to allowed login locally on the TC server. This is not desirable as it can prove to be a security risk.
TEKLYNX is considering making changes to the authentication mechanism to only check against relevant errors, not all, from AD.
Issue Found: TEKLYNX CENTRAL v4.5 and v4.6 running on Windows 2012 R2