• 0

Microsoft IIS Licensing confusion

Asked by neufuse,

 Share

Question

Grand Master

neufuse Veteran

Posted
  • Veteran
Posted (edited)

Anyone out there know IIS licensing or Microsoft Licensing? (yes, I know that's a loaded question.....)

 

I was reading MS licensing and got VERY confused, we thought we had it all figured out long ago but it's been amended so many times and changed now we are lost..

 

Here is what we need to figure out..

 

Say I have this set up:

 

  • 3x Windows 2012 R2 Standard Servers
  • One server is set up as a web application server running IIS which is hosting a website to the public
  • One server is set up as a backend database server running SQL Server 2012 Standard
  • One server is the DC running Active Directory

 

Two scenarios, what is the licensing required?

  1. Public site is purely anonymous and has no user login but still pulls backend data from SQL server to render pages, how many cal's do you need?
  2. Public site has an anonymous front end, but has a custom Forms authentication system that reads a user database from SQL Server to authorize and authenticate and return control to the ASP.NET application running on the app server. One AD user is used to run the website application pool and authenticate with SQL Server via windows authentication. These credentials do not allow a user to preform queries directly on the SQL server (a user can not execute a stored procedure, run DML or any other SQL statement directly, procedures are only coming from the ASP.NET website Data access layer).

 

Going by MS docs it seems that for number one I need the following

  • 3x windows server licenses plus CAL for AD users
  • SQL Server Per core license or a SQL Server CAL for any user that may come to my site (who knows how many it's a freaking public site?)

 

and for number 2.

  • 3x windows server licenses plus CAL for AD users
  • Same SQL license requirements as above, per core or one CAL per public user...
  • Windows CAL for every single user that visits our site (once again how many?! this could get ridiculously expensive), they state once a user is no longer anonymous on your site you need a CAL for them..... really? So my custom authentication that only allows authorization to site data no windows or AD data requires a user CAL from MS for something that MS isn't even doing a thing with on the windows server end?

 

Link to comment
https://www.neowin.net/forum/topic/1285366-microsoft-iis-licensing-confusion/
Share on other sites

12 answers to this question

Recommended Posts

  • 0
Grand Master

Kami-

Posted
Posted

Note: CALs aren't required for users visiting your website, just user accounts existing on the server / have access to the server.

http://blogs.technet.com/b/volume-licensing/archive/2014/03/10/licensing-how-to-when-do-i-need-a-client-access-license-cal.aspx

5 – Do I need a CAL when my Windows Server is used to run a web server?

Windows Server 2012 R2 configured to run Web Workloads ** do not require CALs or External Connectors.  Web workloads, also referred to as an internet web solution, are publically accessible (e.g. accessible outside of the firewall) and consist only of web pages, web sites, web applications, web services, and/or POP3 mail serving.  Access to content, information, and/or applications within the internet web solution must be publically accessible.  In other words, they cannot be restricted to you or your affiliate’s employees.

 

 

 

  • 0
Grand Master

neufuse Veteran

Posted
  • Author
  • Veteran
Posted (edited)
  On 13/01/2016 at 12:52, Kami- said:

Note: CALs aren't required for users visiting your website, just user accounts existing on the server / have access to the server.

http://blogs.technet.com/b/volume-licensing/archive/2014/03/10/licensing-how-to-when-do-i-need-a-client-access-license-cal.aspx

5 – Do I need a CAL when my Windows Server is used to run a web server?

Windows Server 2012 R2 configured to run Web Workloads ** do not require CALs or External Connectors.  Web workloads, also referred to as an internet web solution, are publically accessible (e.g. accessible outside of the firewall) and consist only of web pages, web sites, web applications, web services, and/or POP3 mail serving.  Access to content, information, and/or applications within the internet web solution must be publically accessible.  In other words, they cannot be restricted to you or your affiliate’s employees.

 

 

 

Expand  

ah, but that's not what MS is telling us... MS is telling us that's only if the website is anonymous. Once you have a private part at any point requiring a log on regardless of how it's done (even if you are checking credentials in your own authentication system and storing them in your own system such as a sql db table) at this point a user is considered to be multiplexed to the user running the IIS app pool and therefore requires a CAL per user...

 

  Quote

A Windows CAL is not required if access to the server software is via the Internet and is "unauthenticated"—for example, accessing a Web site for general information where no identifying credentials are exchanged. Once authenticated via Active Directory or custom credential storage a CAL is required.

Expand  

I'm asking this because we are getting reamed out by MS licensing after our last audit for not having CAL's for half a million users on our public IIS website which users are never using anything MS but IIS, their details are not stored in AD, they are stored in a custom authentication system that stores their details in a SQL Server table (of which we license per core not per user on the SQL Server end)... MS claims this needs a CAL, we've been fighting it and not winning so far....

Edited by neufuse
  • 0
Grand Master

Eric Veteran

Posted
  • Veteran
Posted
  On 14/01/2016 at 15:49, neufuse said:

ah, but that's not what MS is telling us... MS is telling us that's only if the website is anonymous. Once you have a private part at any point requiring a log on regardless of how it's done (even if you are checking credentials in your own authentication system and storing them in your own system such as a sql db table) at this point a user is considered to be multiplexed to the user running the IIS app pool and therefore requires a CAL per user...

Expand  

You would need CALs for the backend servers but not the ones running IIS itself. I would guess you would want to use an external connector license as they aren't restricted to a user or device.

  • 0
Community Regular

xbamaris

Posted
Posted (edited)

Microsoft needs to abolish its CAL policy or simplify it. I get that they need to make money but asking users to pay ridiculous sums of money on top of the licenses they pay for Windows Server(god help Windows Server 2016) when demand/requests aren't always the same nor are they even properly measured most of the time.

 

The whole CAL policies make Windows Server that much more unappealing.

  • 0
Grand Master

neufuse Veteran

Posted
  • Author
  • Veteran
Posted (edited)
  On 14/01/2016 at 16:06, Eric said:

You would need CALs for the backend servers but not the ones running IIS itself. I would guess you would want to use an external connector license as they aren't restricted to a user or device.

Expand  

Why would I need that though? The only backend service the users make use of through multiplexing is SQL Server and that isn't even directly, they can't run queries on it, the website just pulls data from it. Our SQL Server is licensed per core also too so I don't get why you'd need CAL's or an external connector license since it's unlimited users...

 

MS is being very vague with us on purpose it seems like.

 

They seem to be seeing it as since a user is logging into the site they must be a windows user and using AD...

 

Here's an example

 

Web user 1 --->  Log into Website via Forms authentication --> Forms auth talks to SQL Server to read credentials out of a users table ---> SQL Server running as an AD user / IIS App pool running as an AD user (they say because of this multiplex we need CALs, which makes no sense, the user logging in themselves is not impersonating this user in any way, it's just the host process user)

 

this is our third audit in 6yrs and the first two times they had NO problem with this at all, and said it was fine... suddenly we have a major issue with it.....

 

  • 0
Grand Master

adrynalyne

Posted
Posted
  On 14/01/2016 at 16:31, neufuse said:

Why would I need that though? The only backend service the users make use of through multiplexing is SQL Server and that isn't even directly, they can't run queries on it, the website just pulls data from it. Our SQL Server is licensed per core also too so I don't get why you'd need CAL's or an external connector license since it's unlimited users...

 

MS is being very vague with us on purpose it seems like.

 

They seem to be seeing it as since a user is logging into the site they must be a windows user and using AD...

 

Here's an example

 

Web user 1 --->  Log into Website via Forms authentication --> Forms auth talks to SQL Server to read credentials out of a users table ---> SQL Server running as an AD user / IIS App pool running as an AD user (they say because of this multiplex we need CALs, which makes no sense, the user logging in themselves is not impersonating this user in any way, it's just the host process user)

 

this is our third audit in 6yrs and the first two times they had NO problem with this at all, and said it was fine... suddenly we have a major issue with it.....

 

Expand  

Can you request another auditor? What they are saying doesn't sound right. 

  • 0
Community Regular

Zinomian

Posted
Posted

Looks like a SAM audit?  Ask for another person.  Most of these people do NOT understand licensing, and usually pass along what ever info they seem to understand to a licensing team.   You are correct when stating that you do not need a CAL for users accessing your website from the internet, as long as they do not "log-in" to the box itself, then the CAL user license is not required.

 

SQL however, is where I get a little lost with licensing... My understanding is that as long as you have the "unlimited CAL" for connections between SQL servers, then you are all set (I believe someone mentioned the correct SQL licensing above).

 

I am about to start another SAM audit for a client, and I am already having issues with he auditor.

  • 0
Grand Master

neufuse Veteran

Posted
  • Author
  • Veteran
Posted (edited)
  On 14/01/2016 at 17:15, Zinomian said:

Looks like a SAM audit?  Ask for another person.  Most of these people do NOT understand licensing, and usually pass along what ever info they seem to understand to a licensing team.   You are correct when stating that you do not need a CAL for users accessing your website from the internet, as long as they do not "log-in" to the box itself, then the CAL user license is not required.

 

SQL however, is where I get a little lost with licensing... My understanding is that as long as you have the "unlimited CAL" for connections between SQL servers, then you are all set (I believe someone mentioned the correct SQL licensing above).

 

I am about to start another SAM audit for a client, and I am already having issues with he auditor.

Expand  

yeah, and with the per core / per processor you do get unlimited users, so we are safe there, this auditor already sent us a what we think you owe use sheet and the amount due on it is insane.... the worst we've ever done on an audit was when we implemented System center and our licensing advisor never told us there are special licenses for servers and sold us normal workstation licenses for the servers..... ugh... even the licensing people don't have a clue when they talk to you in presales and vendors then sell you what was quoted as required! we had to negotiate that price down due to being their error... they still wanted payment though.... we in the end told them our payment to them was not using System Center anymore after that SNAFU by licensing and our vendors we ditched it...

 

they also told us that 20 of our OEM licensed Windows OS's were illegal and we had to produce detailed information on them..... HP sold us pirated OEM licenses preinstalled on the systems? I don't think so.....

 

and yeah it's a SAM assessment / audit

  • 0
Community Regular

Zinomian

Posted
Posted
  On 14/01/2016 at 18:53, neufuse said:

they also told us that 20 of our OEM licensed Windows OS's were illegal and we had to produce detailed information on them..... HP sold us pirated OEM licenses preinstalled on the systems? I don't think so.....

Expand  

They did that to me on a few IBM/Lenovo desktops.   Not only did I have to produce an invoice and payment receipt, I also had to take a picture of the license sticker (which is for Windows 8, and there is no license).

 

I was ###### with them, because I argued they could look their own records and figure out if the OS on the machine was picking up the proper BIOS/UEFI license instead of some "illegal" copy.

 

In any case, next audit I will lawyer up and ask that they perform the LLC audit at their own cost.

  • 0
Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

If a user has to logon to a server or service using AD you need a cal associated with that user.  If they are anonymous then they do not.  This is the way I have always approached it.  They also have recently restructured SQL licensing, where each user accessing SQL (not just a named user) must have a CAL associated with it if using SQL Standard or Enterprise.  

 

If you have a user and they logon to your system, they need a cal associated with it....that is pretty much it in a nutshell.   You could probably get away with sql express if you didn't want to deal with SQL cals or go with postgres sql or another open source sql server if you don't want the sql licensing headache. 

  • 0
Grand Master

neufuse Veteran

Posted
  • Author
  • Veteran
Posted (edited)
  On 14/01/2016 at 22:56, sc302 said:

If a user has to logon to a server or service using AD you need a cal associated with that user.  If they are anonymous then they do not.  This is the way I have always approached it.  They also have recently restructured SQL licensing, where each user accessing SQL (not just a named user) must have a CAL associated with it if using SQL Standard or Enterprise.  

 

If you have a user and they logon to your system, they need a cal associated with it....that is pretty much it in a nutshell.   You could probably get away with sql express if you didn't want to deal with SQL cals or go with postgres sql or another open source sql server if you don't want the sql licensing headache. 

Expand  

That's where I've been getting conflicting answers... some Licenseing reps say logging in means into any Microsoft service directly to preform actions on that service (like RDP, AD for credentials, file services) and that as long as I don't have our auth system impersonating a local ad user to use a service it doesn't need a CAL... aka I cant give out credentials that impersonate a user that accesses a file system...

 

but then other ones say nope once you have ANY login prompt no mater what it does you need a windows user CAL which never made any sense because the user is not a windows service user only a web task user.

 

Enterprise SQL doesn't have CAL's anymore, they are per core only, BI edition is per CAL and standard is CAL or Core... so form everything we've read up to the new 2016 licensing that isn't complete yet as long as we are per core we have unlimited users included. Switching database systems right now isn't an option, we are a multimode cluster with it and depend on enterprise features like TDE and have so many requirements we are legally bound to that only Oracle and MSSQL seem to fit at this time both expensive systems when you go multi node active/active and have passive servers waiting... so much money ha

This topic is now closed to further replies.
 Share
Go to question listing

  • Recently Browsing   0 members

    • No registered users viewing this page.