You can have as wide and varied a range of printing needs as you have business needs. Learn about the available SAPSprint options — what they are and what they do — so you can help your organization meet its specific printing needs.
Key Concept
Secure Network Communications (SNC) integrates an external security product with SAP systems. SNC protects the data communication paths between client and server components of SAP systems that use a Remote Function Call (RFC) or dialog (DIAG) protocol.
You can configure a number of SAPSprint options to meet special requirements regarding job processing, print infrastructure, and security. I’ll explain all possible configuration parameters, giving the details of each option while clarifying their relationship to one another. I’ll also show you how to set the option values and where they are stored.
Assuming you have installed SAPSprint, understand how it works, and what it consists of, you are ready to take this next step. If you have not already, I recommend that you read my article “Get the Most Out of SAPSprint for Server-Based Printing in Microsoft Windows.” It provides information on the installation of SAPSprint and the solid foundation that enables you to get the most from this article.
Note
The article is for system and print administrators. You should be familiar with printing on a Microsoft Windows platform, and you should know the basics of SAP printing terminology. The article focuses on the special features of SAPSprint printing. For the section on Secure Network Communications (SNC)-secured printing, you should also be familiar with the SNC product and the appropriate terminology. Background information about SNC is outside the scope of this article.
Adjust the SAPSprint Installation for SNC
To use SAPSprint for SNC-secured printing, which is implemented in the gsskrb5.dll as part of the SNC installation, you need to run (i.e., reconfigure) the SAPSprint service with a domain user account. As I recommended in my April 2009 article, if you want to print on shared printers in the domain, you must configure for SNC-secured printing. In addition, you have to grant this domain account write access to the LogPath directory, which is a subdirectory named Log underneath the SAPSprint installation directory (unless you change it). You then enable RFC-1964-compliant Kerberos authentication for that account.
You can do this using the SETSPN.EXE tool, which you can find on the Windows OS installation CD in the SUPPORTTOOLS folder in the SUPPORT.CAB archive, or as part of various Microsoft Windows resource kits. You can also download the kits from Microsoft, together with detailed documentation.
Invoke SETSPN to turn on a hidden switch in Active Directory that permits RFC-1964-compliant Kerberos authentication exchanges. In the following example,
SETSPN -A dont/care <DOMAIN><SAPSprintUser>
<DOMAIN> stands for the NETBIOS/NT4 name of your Windows domain and <SAPSprintUser> identifies the domain account that the SAPSprint service is going to use. You substitute with whatever values are adequate for your environment.
Instead of dont/care, you can use whatever name you prefer. This is a parameter of the SETSPN program, which is not used by the gsskrb5.dll. After configuring the SAPSprint service to run under a domain account, you have to restart the service.
Configure WIN.INI to Enable SNC
The next step to enable secure printing with SAPSprint is configuring SNC. The actual SNC configuration consists of two parts: SNC reads one part from WIN.INI in %WINDIR%, and the SAPSprint code reads the other part from the registry. SAPSprint uses the information to decide whether SNC should be used, or is even required, for a print job and to determine which authenticated users are allowed to submit print jobs. (The SNC part in SAPSprint was originally developed in 1995 for Windows 3.1 and the SAPSprint predecessor SAPLPD.)
WIN.INI is a plain text file that resides in %WINDIR% and is normally only used by legacy 16-bit applications. There are three required parameters in a section labeled [snc] within WIN.INI for enabling SNC. You can use a simple text editor such as Notepad or Sysedit to edit WIN.INI (Figure 1).
[snc]
enable=1
gssapi_lib=C:whereyouinstalleditgsskrb5.dll
identity/lpd=p:SAPSprintUser@ALL.UPPERCASE.KERBEROS.REALM.NAME
|
| Figure 1 | Edit the three parameters in WIN.INI to enable SNC |
Keep in mind that SNC names have a two-character prefix: a letter (usually a lowercase p) followed by a colon (:), e.g., p:SAPSprintUser@ALL.UPPERCASE.KERBEROS.REALM.NAME. This prefix is a substitute for an ASN.1 OID, which SNC has to pass as the name type in its API to the external product along with the name.
Tip!
Kerberos principal names are case sensitive. This applies to both parts: the user name that appears before the @, and the Kerberos Realm name after the @.
The Microsoft Active Directory manages the Kerberos Realm, using all uppercase letters (e.g., the all caps DNS-domain name). Basically all administrative user interfaces (UIs) of Windows display the DNS-domain name, instead of the all caps Kerberos Realm name.
You must spell out the user name of the domain account exactly as it appears in the Microsoft Active Directory.
Note
Service packs, Support Packages, upgrades, and viruses can corrupt the spelling of a user name, which may result in hard-to-find interoperability problems with standards-compliant implementations of Kerberos5, which expects name-based authentication to work correctly.
SAP updates SAP Note 352295 for Kerberos interoperability problems that are reported and possible workarounds, or if necessary, Microsoft hot fixes.
Configure the Windows Registry
The SNC configuration parameters for SAPSprint are stored in the Windows registry along with all the other parameters described in this article. You can use the Windows-supplied REGEDIT or any other registry editor to change the parameters, or use the command line syntax of SAPSprint described in the next section. The registry path where you define the parameters is as follows:
HKEY_LOCAL_MACHINESoftwareSAPSAPlpdSAPLPD
and when running a 32-bit SAPSprint on a 64-bit Windows:
HKEY_LOCAL_MACHINESoftwareWow6432NodeSAPSAPlpdSAPLPD
The following registry keys (Table 1) determine the policy and Access Control List (ACL) for the use of SNC-protected printing with SAPSPRINT.EXE.
| snc_mode | int | default 0 | [0, 1, 2] | | snc_min_qop | int | default 3 | [1, 2, 3] | | NumAuth | int | default 0 | [0 … (n + 1)] | | Auth0 | string | | SNC name | | Auth1 | string | | SNC name | | Auth<n> | string | | SNC name | |
| Table 1 | Registry keys that determine the policy and ACL for the use of SNC-protected printing with SAPSPRINT.EXE |
All registry entries are actually REG_SZ string types, but the contents for those listed as integers (int) must be numeric.
Here are some examples (see the next section for a general explanation of the syntax):
- SAPSPRINT -oi snc_mode 1 ? Enables SNC-secured printing, but still permits submission of regular LPD print requests
- SAPSPRINT -oi snc_min_qop 9 ? Configures the use of the maximum available protection (which for Kerberos means confidentiality/encryption)
- SAPSPRINT -os Auth1 p:SAPServiceC11@ALL.UPPERCASE.KERBEROS.REALM.NAME ? Enters the SNC name of an acceptable peer to the ACL (e.g., the name of an SAP NetWeaver Application Server)
- SAPSPRINT -oi NumAuth 2 ? Configures how many valid ACL entries (minus one) SAPSprint looks at
The available parameters for snc_mode include:
- 0 Reject requests for submission of SNC-protected print jobs
- 1 Accept requests for SNC-protected print jobs
- 2 Require all print jobs to use SNC-protected communication
The available parameters for snc_qop_min include:
- 1 Authentication only
- 2 Authentication plus data integrity protection
- 3 Authentication plus data integrity plus data confidentiality protection (aka encryption)
The parameter for NumAuth determines what minimum of protection SAPSprint requires to accept a print job. The configuration in the SAP system (transaction SPAD) determines what the application server actually uses.
The parameter for Auth<n> determines through how many registry entries named Auth<n> will iterate, trying to match the SNC-authenticated peer to a local ACL entry. This value must be the number of entries plus 1.
Individual ACL entries with the SNC names of peers are allowed to submit print jobs. The peer name will be string-compared to the name that pops up from the SNC Authentication.
Different from SNC ACLs in an SAP system, there is no canonicalization of this name, so you must enter it correctly. Name canonicalization is more an issue with external security products that represent users with distinguished names rather than Kerberos principal names.
The next section describes how to set and modify a SAPSprint option and lists some additional SNC options.
SAPSprint Control Options
All options are stored in the Windows registry under the key HKEY_LOCAL_MACHINESOFTWARESAPSAPlpdSAPLPD. If no options are specified explicitly in the registry, the default value is used. All options are case sensitive and must be specified exactly as described in Table 2. (It is not necessary to specify the default value.) You can modify the options from the command line with the commands provided in Table 3.
| ConnectionMode | 1 | 0, 1 | If the value is 0, no separate thread is started after a new request is received. The connection is blocked until all the data is received. The default value should not be changed, because the blocking might prevent receiving large jobs. The option is obsolete and might be removed in a later version of SAPSprint. | | IgnoreDCError | 0 | 0, 1 | Usually the service automatically restarts if the CreateDC problem described in SAP Note 1069483 occurs. You can prevent this behavior by setting this option to value 1. This is only recommended in agreement with SAP support for testing some special scenarios. | | KeepFile | 0 | 0, 1 | If the value is 0, the system deletes job-specific log files and print data after they are successfully printed. They are retained if there are errors. If the value is 1, job-specific log files and print data are retained even after they are printed successfully. This option is mostly used for problem analysis on special request of SAP support. In a productive environment only the default value should be used to save disk space and for security reasons. | | KeepRestoreFile | 0 | 0, 1 | If the value is 0, the system deletes the files where job status and received jobs are stored to set up again after a restart. If the value is 1, these files are retained after the restart. This is for error analysis only and should only be changed on special request of SAP support. | | LPDPort | 515 | Any valid TCP/IP port number | The value determines the TCP/IP port to which SAPSprint listens. The standard port for printing is 515, using the protocols S and U. It is only necessary to change this if any other program is using the default port 515. | | LogLevel | 1 | 0, 1, 5, 9 | Determines the level of details in the log file. If the value is 0, no log files are created. If the value is 1, the situation should be normal in the live operation. The value is 5 for troubleshooting by SAP support. The value is 9 only for special requests by SAP support because a lot of information is written. It is not required usually. | | LogPath | Subdirectoy ‘Logs’ in the SAPSprint installation directory | Any directory the SAPSprint service user has the authorization to write to. | Path for which the print data and log data are saved. | | MaxLogFileSize | 10000000 | Any number | Size in bytes after which a log file switch is done. The old log file is stored with a time stamp extension in the LogPath. | | MemoryLog | 0 | 0, 1 | If the value is 1, all memory allocations are logged if LogLevel is set at least at 1. This should only be used for special requests by SAP support. | | NiTrace | 0 | 0, 1 | If the value is 1 calls to the NI TCP/IP communication layer are logged.* This is only for special requests by SAP support, because it slows down the performance tremendously. | | NoJobRestore | 0 | 0, 1 | Usually all print jobs that already exist are restarted again when the service is restarted. You can prevent this behavior by setting this option to value 1. | | NoLogFileSwitch | 0 | 0, 1 | If the value is 1, the sapsprint.dbg file is erased after MaxLogFileSize is reached. | | NoPrinterLogging | 0 | 0, 1 | Usually all installed printers are logged during the service start. You can prevent this behavior by setting this option to value 1. | | NoStatus | 0 | 0, 1 | Usually the job status of unrequested requests is retained when the service is restarted. If you deactivate the status request in the SAP system, this parameter should be set to 1 so that status information is not saved unnecessarily. | | ProcessingMode | 1 | 0, 1 | If the value is 0, a new thread is started for each print job. This thread is deleted again after processing. If the value is 1, a permanent work thread is started for each printer. This thread processes the jobs for this printer sequentially in accordance with the FIFO (First In, First Out) principle. | | report_unknown_status | 1 | 0, 1 | 0 = report unknown requests as finished. 1 = unknown requests are confirmed as being incorrect. ** | | RestartAfterJobs | 0 | Any number | The SAPSprint service restarts automatically after the specified number of print jobs. This mainly reduces the probability of the CreateDC problem described in SAP Note 1069483 occurring. If the default value 0 is used, the service does not restart. | | SAPUserAsOwner | 0 | 0, 1 | If the value is 1, the SAP user is displayed in the Windows printer queue instead of the Windows user. This option will be ineffective starting with Windows Vista due to changes in Windows. | | TestMode | 0 | Any number | After the specified number of print jobs the service simulates the CreateDC problem described in SAP Note 1069483 and restarts. This is for testing purposes only and should not be used in a productive environment. | | UseOldTitle | 0 | 0, 1 | With the value 1, the job name in the Windows printer queue corresponds to the old SAPlpd conventions: <User>/<Jobname>. This is implemented for compatibility reasons. The name is often used for accounting reasons. | | * NI is the SAP internal network interface
**For more information, see the section “SAPSprint Restart” in the April 2009 article “Get the Most Out of SAPSprint for Server-Based Printing in Microsoft Windows” for details about unknown requests | |
| Table 2 | SAPSprint service options |
| sapsprint –oi <key> <number> | Sets option <key> to <number> | | sapsprint –os <key> <character string> | Sets option <key> to <character string> | | sapsprint –dk <key> | Deletes option <key> from the registry | | sapsprint –e | Shows values of all SAPSprint options | | sapsprint –t | Reset all SAPSprint options to default values by removing the key from the registry | |
| Table 3 | Command line syntax to manipulate SAPSprint options |
Job Processing Options
Use the options in this section to modify job processing of a single SAPWIN print job. In general, you shouldn’t have to set the options. If you are unsure, contact SAP support. These options have no effect on anything other than SAPWIN print jobs.
Since the SAPWIN interpreter of SAPSprint, which is implemented in sapwin.dll, is also used for the new front-end printing, the job processing options are the same. Only the path in the Windows registry where the options are stored is different. Front-end printing is user-specific. The registry path is HKEY_CURRENT_USERSOFTWARESAPSAPlpdSAPLPD.
For the front-end printing you must manually enter the options with Windows REGEDIT or any other registry editor. For SAPSprint you can also use the command line syntax described in the previous section. All options are strings from a registry point of view, regardless if the value is really a string or a number. Therefore, always use type REG_SZ when creating a new option.
You can override options that have a printer-specific identifier for individual printers. The printer-specific value only works if you have not changed the global standard value. If, for example, you set the PortraitOnly global value to 1 (different from the default setting), you cannot use the landscape setting for an individual printer.
The syntax for printer-specific options is generally <Windows printer name>:<Global option name> (e.g., HP Laserjet:PortraitOnly with the possible values of 0 and 1 as for the global option.) Table 4 provides all SAPWIN job processing options.
| barcode_yshift | 50 | Any value | Shift down the print position of barcodes by the specified number of pixels. | | ColorBackground [printer-specific] | 1 | 0, 1 | 0 = background is always white. 1 = if color is activated, print colored background (see ColorMode). | | ColorMode | 0 | 0, 1, 2 | 0 = use color only if supported by the printer. 1 = always use color, even if the printer is black and white. (Important: As a result, the printout may be unreadable.) 2 = do not use color even if the printer supports it. | | DcAllFields [printer-specific] | 1 | 0, 1 | 1 = all printer-relevant changes that were made during job processing are re-sent to the printer with each new change. 0 = only the changed option is sent to the printer. Changing this option might lead to unpredictable results. The printers behave differently. The default is the more secure option. You should not change this. | | enable_phys_margins | 1 | 0, 1, 2 | 0 = the printable area of the relevant printer is always used even if you activate physical positioning for each command. 1 = if required by the user, the physical paper boundaries are used for printing. 2 = physical positioning is always activated even if the command logic is required. The default remains logical (important for lists). Therefore, you must ensure that you make a switch. The switch also occurs if you use the Baseline command (eOCb). | | GraphRahmenMode [printer-specific] | 0 | 0, 1, 2 | 0 = print frame as lines. 1 = print frame as substitute characters (+,-,|). 2 = do not print frame. | | IconMode [printer-specific] | IconsAsGraphics | IconsAsFont, IconsAsGraphics | IconsAsGraphics: All icons are printed as (colored) bitmap (as in SAPGUI). IconsAsFont: The printable icons are taken from the SAPIcons normal font. Other icons are printed as #. | | Language | E | D, E | Writes log messages in the appropriate language: (E = English, D = German) | | no_empty_pages | 1 | 0, 1 | 0 = blank pages are printed. 1 = blank pages are not printed. | | PortraitOnly [printer-specific] | 0 | 0, 1 | If the value is 1, you can only print in portrait mode. This is useful to avoid printing in landscape mode on printers where landscape mode is very slow. | | print_spaces [printer-specific] | 0 | 0, 1 | If the value is 1, spaces are underlined for the default of a CPI value (single character positioning). | | SAPDings_charset | 2 (SYMBOL) | Any valid character set number. | Character set for the SAPDings font. | | SAPIcons_charset | 2 (SYMBOL) | Any valid character set number. | Character set for the SAPIcons font. | | space_comp | 0 | 0, 1 | If the value is 1, under the Unicode ABAP list characters that are double the width are issued with their correct width. Spaces behind are subsequently suppressed. | | SWBackground [printer-specific] | 1 | 0, 1 | 0 = background is always white. 1 = if color is deactivated (see ColorMode), then gray backgrounds or hatches are printed if a colored list is displayed. | | SwinDataType [printer-specific] | SAPWIN | 0, EMF, RAW, SAPWIN | Set the Windows spool format for SAPWIN data. The spooler does not understand SAPWIN and therefore the system stores the data as RAW. Zero (0) has a special meaning: The system uses the default that was set at the printer or the format that Windows considers to be the best. EMF must be set, for example, in terminal server environments where a universal printer driver is used. (See SAP Note 914869.) | | transparent_bitmaps | 1 | 0, 1 | 0 = the graphic overwrites a background that may be available. Icons are always printed as non-transparent, regardless of how the parameter is set. For some printer types, graphics are either only black and white (no gradation) or completely unreadable. In this case, set the value to 0. 1 = when you print TIFF graphics, white is interpreted as translucent. Because of this, the printing is compatible with other device types (for example, HPLJ4). | | use_copies [printer_specific] | 1 | 0, 1 | If the value is 1, the system transfers only one print output and the copy counter to the spool system rather than transferring a certain number of individual print outputs. | | use_old_fontsize [printer-specific] | 0 | 0, 1, 2 | 0 = use new calculation type for the font sizes as done in Windows. In addition, this mode is compatible with other device types such as HPLJ4 and PostScript. 1 = use previous (incorrect) calculation type so that you do not have to redefine SAPscript layout sets. 2 = use old (incorrect) calculation type for font sizes that are derived from the horizontal dots per inch (DPI) value. However, it is correct to use the vertical DPI value. | | WinAPILog | 0 | 0, 1 | If the value is 1 all Windows API calls are logged in a separate job-specific log file in the LogPath. This should only be used for special requests by SAP support. | | WinCharSet | 0 (ANSI) | Any valid character set number. | Character set for used fonts. | |
| Table 4 | SAPWIN job processing options |
SNC Options
The options described in Table 5 are necessary to enable secure network communication with SNC. See the section “Adjust the SAPSprint Installation for SNC” at the beginning of the article for details using SNC with SAPSprint.
| AuthX (X > 0) | “ ” | Name of partner who is to be accepted. | If conn_aa is 0, only connections of partners who are listed here are accepted. | | conn_aa | 0 | 0, 1 | 0 = only partners stated with AuthX are accepted. 1 = connections of all partners are accepted. | | NumAuth | 0 | Numbers > 0 | Number of entries in AuthX. | | snc_cmdmax | 10 | 1..10 | Number of commands that are allowed to be sent before the connection has to be secured. | | snc_min_qop | 3 | 1, 2, 3 | Minimal security level: 1 = auth 2 = signed 3 = sealed | | snc_mode | 0 | 0, 1, 2 | 0 = no security. 1 = both, secure and non-secure connections. 2 = only saved connections. | |
| Table 5 | Enable secured network communication with SNC |
Communication Options
The communication options (Table 6) are still available from the former SAPlpd, which was written at a time when network communication did not have the standards it has today. Sometimes it was necessary to change configuration parameters of the network communication between the SAP system and SAPlpd to get a stable connection. Today’s bandwidth and the stability of modern network communication are able to handle most printing requirements, so you shouldn’t have to change these parameters. What you find is that typically a bottleneck is the printer, not the network. SAP recommends that you not change the default values unless requested by SAP support. If there is a problem in the network, changing these parameters usually does not help, because they don’t eliminate the root cause. The values often refer to some configuration parameters of the SAP internal network interface layer, an abstraction layer above the basic TCP/IP layer of the operating system. The API of the network layer is not documented for the public use.
| compress1 | 1 | 0, 1 | 1 = compression method run length coding is supported. 0 = no compression supported. * | | compress2 | 1 | 0, 1 | 1 = compression method like SAPGUI is supported. 0 = do not use SAPGUI compression. * | | crypt1 | 1 | 0, 1 | 1 = data encryption supported. 0 = data encryption not supported. | | NiAcceptTimeout | 5000 | -1, any number > 0 | x > 0 = timeout value in ms for NiAccept call. -1 = NiAccept blocks until connection is established. | | NiReadLoopBreak | -1 | -1, any number > 0 | -1 = the reading loop is not terminated until data arrives. x > 0 = if no data has arrived, the reading loop is terminated with an error after x runs. | | NiReadTimeout | -1 | -1, any number > 0 | -1 = NiPeek blocks until data is received. x > 0 = timeout value in ms for NiPeek call. | | NiSpinReadTime | 100 | any number > 0 | Time NI is polling actively for data. | | NiWriteTimeout | -1 | -1, any number > 0 | -1 = no action from NiWrite until all data is written. x > 0 = NiWrite gets interrupted if writing takes longer than x ms. | | send_with_null [port-specific] | 1 | 0, 1 | 1 = sends job status with a terminating 0. 0 = sends job status without terminating 0. | | s_packet_size | 15000 | 20..15000 | Size of the accepted data packet for the S protocol. | | * If both compression methods are supported, the second method is used. | |
| Table 6 | Available communication options from the former SAPlpd |
SAPSprint Command Line Parameter
SAPSprint is implemented as a Windows service. This means that the Windows Service Control Manager automatically restarts SAPSprint in case of an unwanted termination. However, you can also call SAPSprint from the command line to set the described options or perform some additional administrative tasks. Table 7 shows the usage of all possible command line parameters SAPSprint can understand.
| sapsprint -? | Shows the usage of the most important command line parameter. Use it to look at the syntax of all possible commands. | | sapsprint –r | Registers the service in the Windows Service Control Manager Database. This is usually done during the SAPSprint installation. However, if you deleted the service from the database (see sapsprint –d), you can use this command to register it again without a new installation. | | sapsprint –d | Deletes the service in the Windows Service Control Manager Database. | | sapsprint –s | Starts the service. Command line alternative to start the service without navigating to the Windows Service Control Manager. | | sapsprint –p | Stops the service. Command line alternative to stop the service without navigating to the Windows Service Control Manager. | | sapsprint –x | Run SAPSprint not as service. This is implemented for test purposes, especially for SAP support. Do not use it in a productive environment. | | sapsprint –v | Shows SAPSprint version. | | sapsprint –h | Shows change history of SAPSprint versions. Short listing of bug fixes or functional changes. | | sapsprint –e | Shows values of all SAPSprint options set with –oi and –os. | | sapsprint –a | Log Windows settings of all installed printers in the sapsprint.dbg file. | | sapsprint –o –p <printer name> | Shows settings of printer <printer name>. | | sapsprint –t | Reset all SAPSprint options to default values by removing the key from the registry. | | sapsprint –oi <key> <number> | Sets option <key> to <number>. | | sapsprint –os <key> <character string> | Sets option <key> to <character string>. | | sapsprint –dk <key> | Deletes option <key>. For example, sapsprint –dk LogLevel removes the LogLevel key in the registry. SAPSprint uses the default value 1 afterwards. | | sapsprint –c <dir name> –p <printer name> | Prints all files on directory <dir name> on printer <printer name>. This can be used to print files again which were kept with the KeepFile option. | | sapsprint –f <file name> –p <printer name> | Prints file <file name> on printer <printer name>. This can be used to print a single file again which was kept with the KeepFile option. | |
| Table 7 | SAPSprint command line parameters |
Michael Szardenings
Michael Szardenings is a senior developer in the SAP IMS organization. Working in the Systems Management Group within IMS, Michael is responsible for all kinds of Windows printing from SAP systems. He started his career in 1989 in the IBM Research and Development Lab in Germany, with the development of various user interface components for IBM mainframe computers. As SAP IBM came together on several joint venture projects in the systems management area, which includes job scheduling and printing, Michael’s focuses switched to SAP. He joined SAP in 2001.
You may contact the author at editor@sappro.com.
If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.
Premium
Premium
Premium