To clarify, the service user in the sense environment and the service user in the nprint environment are both not domain users. Both are just local windows users.

To answer your questions:

1. The qlik sense local windows service user, is a rootadmin within the sense qmc. This is the user utilized in the nprint app connection I'm troubleshooting.
2. Yes this user can access the app in question from the hub.
3. The qlik sense machine was set up fresh using an amazon ami. The nprint machine was an amazon ami as well, but I've completely uninstalled and reinstalled the nprint server and nprint engine in an effort to troubleshoot.
4. Could you clarify this question? I'm not sure what you're meaning?

Also, do you know where issues with the 'run verification'  button process would be logged? Do you know which nprint windows service it utilizes?

Have you gone thru this already? https://community.qlik.com/t5/Official-Support-Articles/How-to-resolve-NPrinting-verification-errors... 

So, When you test connection you are using, Serverhostname\windowsuser?

I've seen the article and have tried to follow it. Although, I'm struggling to determine which options are relevant. I've tried disabling IE enhanced security, and adding the proxy address to the trusted intranet sites. I'm suspicious that the nprint server is having trouble connecting to the qlik sense services via the proxy because even when I disable the inbound server rule opening up the relevant ports, the nprint 'run verfication' connection test still succeeds on the "The QRS is reachable on the port 4242 of the "Proxy Address"" test.

Do you know what service would be engaged for the certificate validation? I'm hoping to find a log that can show me the specifics of the issue. As in whether it's actually connecting to the qlik sense server or not.

I assume you're referring to the identity field? I've inputted qlikUserDir\qlikUserID as the value. The user being the service user on the qlik sense box.

I see. Unfortunately, domain joining the servers is not an option for us with current project constraints.

I've seen that the documentation requires a domain service account.  But in our original nprinting environment its domain service user is not able to be authenticated due to the active directory it originated from no longer being available for authentication.

Despite this, our connections between nprint and sense in that environment continue to cache as expected despite failing the "The "Identity" and the Qlik NPrinting Engine service account are a Windows domain user." step of the 'run verification' test. As depicted in the screenshot.

Because of this, I hoped that the domain user requirement could be circumvented. Do you know why this still works? Is the user information cached somehow? I'm unable to login as that user in the original qlik sense environment due to it not being able to authenticate against the original active directory.

Do you know what services are involved in this 'run verification' test? I'd like to be able to put the relevant logs in debug mode to see if they detail the exact reasons the test is failing in our new environment.

On the link, I see the following statement about ports:

"""

Ensure the following NPrinting ports are not blocked on both the NPrinting, QlikView and or Qlik Sense servers:

• ​NPrinting Ports 80, 443, 4242, 4243, 4244, 4747, 4992, 4993, 4994, 4995, 4996, 4997, 5672

"""

I assume that the majority of these ports don't need to be opened inbound on the sense or nprint machines? I take it that most of these services are communicating internally?

Based on the port page I've linked below, I see that only 443, 4242, 4243, and 4747 are required as inbound firewall rules to qlik sense. Consequently, those are the only ports our proxy is listening on. Please let me know if others are needed as well.

https://help.qlik.com/en-US/nprinting/Content/NPrinting/DeployingQVNprinting/Ports.htm

@cjcunningham the error shown previously is more about windows user. I guess you are using this just for testing because all the domain users can't be controlled via domain control or group policy. Could be that might be blocking.