After upgrading to Windows 7 / Server 2008 R2 SP1, calls to the Win32 API OpenPrinter() (http://msdn.microsoft.com/en-us/library/dd162751(v=vs.85).aspx) now fail with error code 1801 on remote queues from an ASP.NET Application running inside of IIS 7.5 when “ASP.NET Impersonation” is configured to use the Authenticated User.
ASP.NET Applications can no longer use the Anonymous Access credentials via ASP.NET Impersonation to view/administrate print jobs in remote queues. This only occurs when Service Pack 1 has been applied to Windows 7 or 2008 R2 on the machine running IIS.
Operating System and Service Pack of the target system seem to not be a factor.
Testing with credentials stored in source code, and calling LogonUser / Impersonate calls to OpenPrinter still succeed on remote queues, even after the upgrade to Service Pack 1.
Error Code: 1801 "The Printer name is invalid"
After OpenPrinter returns FALSE, the handle passed remains NULL, and calling GetLastError() consistently returns error code 1801 (“The Printer Name is Invalid”)
Running the same code is run using the ASP.NET Development Server (VS2010) on the same machine against the same remote queue, logged in with the same user as is set in Anonymous Access then the call succeeds.
.NET Framework Versions: 2.0, 3.0, 3.51
In an effort to rule out permissions issues we have tried impersonating, and application pool as Administrator. A call to : System.Security.Principal.WindowsIdentity.GetCurrent() has confirmed the thread is running as Administrator.
PrintQueue / PrintServer Class:
As a test, we upgraded temporarily to .NET 3.0 and 3.51 and attempted to make use of the build in PrintQueue (http://msdn.microsoft.com/en-us/library/system.printing.printqueue.aspx) / PrintServer (http://msdn.microsoft.com/en-us/library/system.printing.printserver.aspx) classes.
When calling the constructor for the PrintServer object with the path to a remote server, the following exception is thrown:
Call: PrintServer myPrintServer = new PrintServer(@"\\theServer");
Exception Thrown: "Win32 error: The printer name is invalid"
Access Flags for call to Open Printer:
We are using the following access flag : PRINTER_ALL_ACCESS
And have tried a variety of other levels, as well as passing NULL for PRINTER_DEFAULTS to attempt read only operations and it still fails.
IIS Security Settings:
Anonymous User: Set to customized user with permissions to Print, Manage Documents and Manage this Printer.
ASP.NET Impersonation: Set to “Authenticated User”
Anonymous User Tests: Logging in with the user specified in Anonymous user, the user can Install the printer, and manage jobs. Domain/Enterprise Admins have been tested as well. During debugging, calls to GetCurrent() Identity have confirmed the correct user
Access to other remote resources such as files, and Microsoft SQL Databases have been unaffected by this change.
After working with Microsoft support on the issue for several weeks. We have been informed that we will need to store Windows Credentials securely ourselves, and use them in conjunction with LogonUser / Impersonate as needed when working with Remote Queues.
Historically we have preferred to not store or have access to Windows Credentials, and are posting here in hopes of resolving the issue in future updates.