We're in progress of segmenting our network, servers remaining on public routeable addresses and users being moved to private 10.x.x.x address space behind a NAT/PAT.

Our printer agents are set at security level High.

We're seeing users have printing problems when they have the printer installed as an NDPS printer and they are on a private 10.x.x.x address.

I don't ever see the job in the queue and the client never indicates any error message.

Setting the printer's security level to Medium allows printing.

Moving the client computer back to a public routeable address also allows printing.

I've turned on ndps logging with:


Then replicated the problem trying to print to .Printername.OUName.OUName.OName from a machine with IP address

Then I reviewed the ndpsm.log file and found the following:

NWDP_BindPA Start 3-19-09 3:33:25 pm NDPSM 103779
Bind Type: PA, Credential Type: NWDP_CREDENTIALS_NDPS_1, Security Level 3
Bind to: .Printername.OUName.OUName.OName
User IP Address:
Bind to: .Printername.OUName.OUName.OName
File Server: Hostname, Connection number: 95
connectionAddr address and clientAddrPtr did not match
RPC IP Address:
Credential IP Address:
Client Rights:

NWDP_BindPA End, Time used: 0:00:00.0101 NDPSM 103779

Of note to me is the line that states "connectionAddr address and clientAddrPtr did not match" and the line that states "Credential IP Address:"

The first one is just downright interesting and the second is curious because 1) that's not in our address space and 2) it's counting.

Any advice or someone who's run into this before? I googled all I can think of and haven't come up with anything meaningful or useful to me.