Creation of printers configured in Universal Print Server (UPS) policy fails when user logs on.
Background
When a user is member of a large number of security groups in Active Directory it can cause to fail to create printers configured using a Universal Print Server policy.
Possible error messages
- In the event viewer this message appears on the server/desktop where the user is logging on to: “Client printer auto-creation failed. The driver could not be installed. Possible reasons for the failure: The driver is not in the list of drivers on the server. The driver cannot be located. The driver has not been mapped. Client name: () Printer: (\printserverprintername) Printer driver: ()”
- Printers are not created on the user’s session.
- The printer is created but the printer has the status “not configured”.
In all cases the user is unable to print to the printer and unable to connect to the UPS printer.
Workaround
The following steps were completed to try and fix the problem.
- When removing the user from several Active Directory security groups the creation of the printer succeeds;
- By changing the number of security group membership it was perceived that it could be a Kerberos issue MaxTokenSize registry key. But after changing this to the maximum value of 65.535 the issue still exists;
- When changing the name of the print server to the IP address of the print server the creation of the printer succeeds.
Resolution
As you can see in the overview of Universal Print Server architecture below, the client and the server communicate over the HTTP protocol.
Because the user is member of a large group of security groups in Active Directory this can cause problems for the size of the request header the UPServer normally can handle. By default the maximum size is around 8192 bytes (8K) for this cookie.
Complete one of the following options to resolve this issue.
Option 1
Limit the number of security groups that the user is member of, in the Active Directory.
Option 2
- When the UPS print server software is installed, there is an Apache webserver configured with it. This webserver is installed in the following location: C:Program FilesCitrixXTE
- The conf folder contains a file named httpd.conf. Add the following line when this file is opened: LimitRequestFieldSize 65535
- This changes the size of the request header to the maximum of 64K (just as the maximum size for a Kerberos ticket).
- When you have changed this configuration file, restart the UPS services (or restart the server completely) for the changes to take effect.
- This option needs to be changed on all of the print servers where the UPServer software is installed. This also affects all users and there’s no way to exclude certain users or groups.
More Information
The MaxTokenSize by default is 12,000 bytes. This has been the default value since Windows 2000 SP2 and still remains in Windows 7 and Windows 2008 R2. As the company grows the groups within the organization also grows. If your Kerberos token becomes too big, your users will receive error messages during login; and applications that use Kerberos authentication potentially fails as well. This is why the default value is not a hard limit; the maximum recommended configuration is 65535 bytes or 64k.
Note: It is recommended that you do not set the MaxTokenSize greater than 65535 bytes or 64k. If you set the MaxTokenSize greater than 65535 bytes applications using Kerberos authentication could potentially fail.
Refer to http://support.microsoft.com/kb/938118/en-us for more information.
Here’s the link to the original KB article. This is an article I wrote myself for the Citrix knowledgebase.