Symptoms or Error
Creation of printers configured in Universal Print Server (UPS) policy fails when user logs on.
When a user is member of a large number of security groups in Active Directory, it can cause to fail to create printers configured using a Universal Print Server policy.
Possible error messages
- In the event viewer, the following message appears on the server/desktop where the user is logging on to:“Client printer auto-creation failed. The driver could not be installed. Possible reasons for the failure: The driver is not in the list of drivers on the server. The driver cannot be located. The driver has not been mapped. Client name: () Printer: (\\printserver\printername) Printer driver: ()”
- Printers are not created on the user’s session.
- The printer is created but the printer has the status “not configured”.
In all the cases, the user is unable to print to the printer and unable to connect to the UPS printer.
As shown in the following Universal Print Server architecture, the client and the server communicate over the HTTP protocol.
As the user is a member of a large group of security groups in Active Directory, this can cause issues for the size of the request header the UPServer normally can handle. By default the maximum size is 8192 bytes (8K) for this cookie.
Complete one of the following options to resolve this issue.
Limit the number of security groups that the user is member of in the Active Directory.
When the UPS print server software is installed, there is an Apache webserver configured with it. This webserver is installed in the following location:
The conf folder contains a file named httpd.conf
- Add the following parameter LimitRequestFieldSize 65535 in the httpd.conf file before #Citrix_Begin or after #Citrix_EndThis changes the size of the request header to a maximum of 64K (similar to the maximum size for a Kerberos ticket).
- When the configuration file is changed, restart the UPS services (or restart the server completely) for the changes to take effect.
Note: This option needs to be changed on all of the print servers where the UPServer software is installed.
This also affects all users and no users or groups can be excluded.
Complete the following steps as a workaround to fix the issue:
- Remove the user from several Active Directory security groups. The creation of the printer succeeds.
- Change the number of security group membership it was perceived that it could be a Kerberos issue MaxTokenSize registry key. However, after changing this to the maximum value of 65.535, the issue still exists.
- Change the name of the print server to the IP address of the print server. The creation of the printer succeeds.
When a user is a member of a large number of security groups in the Active Directory it can fail to create printers configured using a Universal Print Server policy.
Citrix Discussions – Citrix UPS Setup issues when adding network printer to host
The MaxTokenSize by default is 12,000 bytes. This has been the default value since Windows 2000 SP2 and still remains in Windows 7 and Windows 2008 R2. As the company grows, the groups within the organization also grows. If your Kerberos token becomes too big, your users will receive error messages during login; and applications that use Kerberos authentication potentially fail as well. This is why the default value is not a hard limit; the maximum recommended configuration is 65535 bytes or 64k.
Note: It is recommended that you do not set the MaxTokenSize greater than 65535 bytes or 64k. If you set the MaxTokenSize greater than 65535 bytes, applications using Kerberos authentication could potentially fail.
Refer to How to use Group Policy to add the MaxTokenSize registry entry to multiple computers for more information.