Configure Active Directory Authentication
Active Directory authentication uses the user's Windows workstation identity. Print Scout reads the logged-in Windows credentials automatically. No separate user registration step is required. This is the only provider where users can print immediately without registering.
Switching to or from Active Directory clears all existing user registrations. All users must re-register. The Site Encryption Key is required to make this change.
How Active Directory Authentication works
When a user submits a print job, Print Scout captures their Windows workstation identity (UPN or NetBIOS format depending on configuration) and uses it as their print identity. The user's Active Directory credentials are never sent to HP Insights — only the identity string is used.
Because identity is derived from the workstation login, Active Directory is the fastest onboarding path for large organisations. There is no registration email to send, no verification step, and no passcode to distribute.
Prerequisites
-
Device Scout installed and joined to the same AD domain as user workstations.
-
Print Scout deployed to user workstations.
Enable Active Directory authentication
1. Navigate to Account Settings > Settings > User Authentication Providers.
2. Select Active Directory.
3. Enter the Site Encryption Key when prompted.
4. Click Save.
No further configuration is required in the web console. Users can print immediately after Print Scout is installed on their workstation.
How users authenticate
At the printer (Secure Release): users enter their AD network username and password, or swipe a registered card. Card registration requires entering network username and AD password at the printer on first setup.
Direct Print: Print Scout detects the user's Windows identity automatically. No user action is required.
Troubleshooting
Users authenticated in Print Scout but cannot release at the printer
This occurs when the workstation identity format differs between the authentication flow and the print spooler flow. The authentication flow may identify the user as user@domain.com (UPN format) while the spooler identifies them as DOMAIN\user (NetBIOS format). These are treated as different identities and the job cannot be matched to the user.
Check the Print Scout logs for the identity string captured during authentication and compare it with the string captured during print submission. Contact Pharos Support if the formats differ — this requires a configuration change at the tenant level.
Universal Print tab shows "current authentication provider is not supported"
Universal Print is not supported with Active Directory authentication. SAML 2.0 is required for Universal Print integration. This is expected behaviour — the message is informational.
Related Topics: