• 0

Microsoft IIS Licensing confusion


Question

Anyone out there know IIS licensing or Microsoft Licensing? (yes, I know that's a loaded question.....)

 

I was reading MS licensing and got VERY confused, we thought we had it all figured out long ago but it's been amended so many times and changed now we are lost..

 

Here is what we need to figure out..

 

Say I have this set up:

 

  • 3x Windows 2012 R2 Standard Servers
  • One server is set up as a web application server running IIS which is hosting a website to the public
  • One server is set up as a backend database server running SQL Server 2012 Standard
  • One server is the DC running Active Directory

 

Two scenarios, what is the licensing required?

  1. Public site is purely anonymous and has no user login but still pulls backend data from SQL server to render pages, how many cal's do you need?
  2. Public site has an anonymous front end, but has a custom Forms authentication system that reads a user database from SQL Server to authorize and authenticate and return control to the ASP.NET application running on the app server. One AD user is used to run the website application pool and authenticate with SQL Server via windows authentication. These credentials do not allow a user to preform queries directly on the SQL server (a user can not execute a stored procedure, run DML or any other SQL statement directly, procedures are only coming from the ASP.NET website Data access layer).

 

Going by MS docs it seems that for number one I need the following

  • 3x windows server licenses plus CAL for AD users
  • SQL Server Per core license or a SQL Server CAL for any user that may come to my site (who knows how many it's a freaking public site?)

 

and for number 2.

  • 3x windows server licenses plus CAL for AD users
  • Same SQL license requirements as above, per core or one CAL per public user...
  • Windows CAL for every single user that visits our site (once again how many?! this could get ridiculously expensive), they state once a user is no longer anonymous on your site you need a CAL for them..... really? So my custom authentication that only allows authorization to site data no windows or AD data requires a user CAL from MS for something that MS isn't even doing a thing with on the windows server end?

 

Link to comment
https://www.neowin.net/forum/topic/1285366-microsoft-iis-licensing-confusion/
Share on other sites

12 answers to this question

Recommended Posts

  • 0

Note: CALs aren't required for users visiting your website, just user accounts existing on the server / have access to the server.

http://blogs.technet.com/b/volume-licensing/archive/2014/03/10/licensing-how-to-when-do-i-need-a-client-access-license-cal.aspx

5 – Do I need a CAL when my Windows Server is used to run a web server?

Windows Server 2012 R2 configured to run Web Workloads ** do not require CALs or External Connectors.  Web workloads, also referred to as an internet web solution, are publically accessible (e.g. accessible outside of the firewall) and consist only of web pages, web sites, web applications, web services, and/or POP3 mail serving.  Access to content, information, and/or applications within the internet web solution must be publically accessible.  In other words, they cannot be restricted to you or your affiliate’s employees.

 

 

 

  • 0
  On 13/01/2016 at 12:52, Kami- said:

Note: CALs aren't required for users visiting your website, just user accounts existing on the server / have access to the server.

http://blogs.technet.com/b/volume-licensing/archive/2014/03/10/licensing-how-to-when-do-i-need-a-client-access-license-cal.aspx

5 – Do I need a CAL when my Windows Server is used to run a web server?

Windows Server 2012 R2 configured to run Web Workloads ** do not require CALs or External Connectors.  Web workloads, also referred to as an internet web solution, are publically accessible (e.g. accessible outside of the firewall) and consist only of web pages, web sites, web applications, web services, and/or POP3 mail serving.  Access to content, information, and/or applications within the internet web solution must be publically accessible.  In other words, they cannot be restricted to you or your affiliate’s employees.

 

 

 

Expand  

ah, but that's not what MS is telling us... MS is telling us that's only if the website is anonymous. Once you have a private part at any point requiring a log on regardless of how it's done (even if you are checking credentials in your own authentication system and storing them in your own system such as a sql db table) at this point a user is considered to be multiplexed to the user running the IIS app pool and therefore requires a CAL per user...

 

  Quote

A Windows CAL is not required if access to the server software is via the Internet and is "unauthenticated"—for example, accessing a Web site for general information where no identifying credentials are exchanged. Once authenticated via Active Directory or custom credential storage a CAL is required.

Expand  

I'm asking this because we are getting reamed out by MS licensing after our last audit for not having CAL's for half a million users on our public IIS website which users are never using anything MS but IIS, their details are not stored in AD, they are stored in a custom authentication system that stores their details in a SQL Server table (of which we license per core not per user on the SQL Server end)... MS claims this needs a CAL, we've been fighting it and not winning so far....

Edited by neufuse
  • 0
  On 14/01/2016 at 15:49, neufuse said:

ah, but that's not what MS is telling us... MS is telling us that's only if the website is anonymous. Once you have a private part at any point requiring a log on regardless of how it's done (even if you are checking credentials in your own authentication system and storing them in your own system such as a sql db table) at this point a user is considered to be multiplexed to the user running the IIS app pool and therefore requires a CAL per user...

Expand  

You would need CALs for the backend servers but not the ones running IIS itself. I would guess you would want to use an external connector license as they aren't restricted to a user or device.

  • 0

Microsoft needs to abolish its CAL policy or simplify it. I get that they need to make money but asking users to pay ridiculous sums of money on top of the licenses they pay for Windows Server(god help Windows Server 2016) when demand/requests aren't always the same nor are they even properly measured most of the time.

 

The whole CAL policies make Windows Server that much more unappealing.

  • 0
  On 14/01/2016 at 16:06, Eric said:

You would need CALs for the backend servers but not the ones running IIS itself. I would guess you would want to use an external connector license as they aren't restricted to a user or device.

Expand  

Why would I need that though? The only backend service the users make use of through multiplexing is SQL Server and that isn't even directly, they can't run queries on it, the website just pulls data from it. Our SQL Server is licensed per core also too so I don't get why you'd need CAL's or an external connector license since it's unlimited users...

 

MS is being very vague with us on purpose it seems like.

 

They seem to be seeing it as since a user is logging into the site they must be a windows user and using AD...

 

Here's an example

 

Web user 1 --->  Log into Website via Forms authentication --> Forms auth talks to SQL Server to read credentials out of a users table ---> SQL Server running as an AD user / IIS App pool running as an AD user (they say because of this multiplex we need CALs, which makes no sense, the user logging in themselves is not impersonating this user in any way, it's just the host process user)

 

this is our third audit in 6yrs and the first two times they had NO problem with this at all, and said it was fine... suddenly we have a major issue with it.....

 

  • 0
  On 14/01/2016 at 16:31, neufuse said:

Why would I need that though? The only backend service the users make use of through multiplexing is SQL Server and that isn't even directly, they can't run queries on it, the website just pulls data from it. Our SQL Server is licensed per core also too so I don't get why you'd need CAL's or an external connector license since it's unlimited users...

 

MS is being very vague with us on purpose it seems like.

 

They seem to be seeing it as since a user is logging into the site they must be a windows user and using AD...

 

Here's an example

 

Web user 1 --->  Log into Website via Forms authentication --> Forms auth talks to SQL Server to read credentials out of a users table ---> SQL Server running as an AD user / IIS App pool running as an AD user (they say because of this multiplex we need CALs, which makes no sense, the user logging in themselves is not impersonating this user in any way, it's just the host process user)

 

this is our third audit in 6yrs and the first two times they had NO problem with this at all, and said it was fine... suddenly we have a major issue with it.....

 

Expand  

Can you request another auditor? What they are saying doesn't sound right. 

  • 0

Looks like a SAM audit?  Ask for another person.  Most of these people do NOT understand licensing, and usually pass along what ever info they seem to understand to a licensing team.   You are correct when stating that you do not need a CAL for users accessing your website from the internet, as long as they do not "log-in" to the box itself, then the CAL user license is not required.

 

SQL however, is where I get a little lost with licensing... My understanding is that as long as you have the "unlimited CAL" for connections between SQL servers, then you are all set (I believe someone mentioned the correct SQL licensing above).

 

I am about to start another SAM audit for a client, and I am already having issues with he auditor.

  • 0
  On 14/01/2016 at 17:15, Zinomian said:

Looks like a SAM audit?  Ask for another person.  Most of these people do NOT understand licensing, and usually pass along what ever info they seem to understand to a licensing team.   You are correct when stating that you do not need a CAL for users accessing your website from the internet, as long as they do not "log-in" to the box itself, then the CAL user license is not required.

 

SQL however, is where I get a little lost with licensing... My understanding is that as long as you have the "unlimited CAL" for connections between SQL servers, then you are all set (I believe someone mentioned the correct SQL licensing above).

 

I am about to start another SAM audit for a client, and I am already having issues with he auditor.

Expand  

yeah, and with the per core / per processor you do get unlimited users, so we are safe there, this auditor already sent us a what we think you owe use sheet and the amount due on it is insane.... the worst we've ever done on an audit was when we implemented System center and our licensing advisor never told us there are special licenses for servers and sold us normal workstation licenses for the servers..... ugh... even the licensing people don't have a clue when they talk to you in presales and vendors then sell you what was quoted as required! we had to negotiate that price down due to being their error... they still wanted payment though.... we in the end told them our payment to them was not using System Center anymore after that SNAFU by licensing and our vendors we ditched it...

 

they also told us that 20 of our OEM licensed Windows OS's were illegal and we had to produce detailed information on them..... HP sold us pirated OEM licenses preinstalled on the systems? I don't think so.....

 

and yeah it's a SAM assessment / audit

  • 0
  On 14/01/2016 at 18:53, neufuse said:

they also told us that 20 of our OEM licensed Windows OS's were illegal and we had to produce detailed information on them..... HP sold us pirated OEM licenses preinstalled on the systems? I don't think so.....

Expand  

They did that to me on a few IBM/Lenovo desktops.   Not only did I have to produce an invoice and payment receipt, I also had to take a picture of the license sticker (which is for Windows 8, and there is no license).

 

I was ###### with them, because I argued they could look their own records and figure out if the OS on the machine was picking up the proper BIOS/UEFI license instead of some "illegal" copy.

 

In any case, next audit I will lawyer up and ask that they perform the LLC audit at their own cost.

  • 0

If a user has to logon to a server or service using AD you need a cal associated with that user.  If they are anonymous then they do not.  This is the way I have always approached it.  They also have recently restructured SQL licensing, where each user accessing SQL (not just a named user) must have a CAL associated with it if using SQL Standard or Enterprise.  

 

If you have a user and they logon to your system, they need a cal associated with it....that is pretty much it in a nutshell.   You could probably get away with sql express if you didn't want to deal with SQL cals or go with postgres sql or another open source sql server if you don't want the sql licensing headache. 

  • 0
  On 14/01/2016 at 22:56, sc302 said:

If a user has to logon to a server or service using AD you need a cal associated with that user.  If they are anonymous then they do not.  This is the way I have always approached it.  They also have recently restructured SQL licensing, where each user accessing SQL (not just a named user) must have a CAL associated with it if using SQL Standard or Enterprise.  

 

If you have a user and they logon to your system, they need a cal associated with it....that is pretty much it in a nutshell.   You could probably get away with sql express if you didn't want to deal with SQL cals or go with postgres sql or another open source sql server if you don't want the sql licensing headache. 

Expand  

That's where I've been getting conflicting answers... some Licenseing reps say logging in means into any Microsoft service directly to preform actions on that service (like RDP, AD for credentials, file services) and that as long as I don't have our auth system impersonating a local ad user to use a service it doesn't need a CAL... aka I cant give out credentials that impersonate a user that accesses a file system...

 

but then other ones say nope once you have ANY login prompt no mater what it does you need a windows user CAL which never made any sense because the user is not a windows service user only a web task user.

 

Enterprise SQL doesn't have CAL's anymore, they are per core only, BI edition is per CAL and standard is CAL or Core... so form everything we've read up to the new 2016 licensing that isn't complete yet as long as we are per core we have unlimited users included. Switching database systems right now isn't an option, we are a multimode cluster with it and depend on enterprise features like TDE and have so many requirements we are legally bound to that only Oracle and MSSQL seem to fit at this time both expensive systems when you go multi node active/active and have passive servers waiting... so much money ha

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Edge for Business gets secure password deployment for organizations by Paul Hill Microsoft Edge for Business now offers organizations secure password deployments as a generally available feature, the Redmond giant said. Instead of users sharing passwords on sticky notes or via email to access certain websites or tools, admins can deploy encrypted shared passwords to specific users within their organization. When a user receives a password, it is stored in their Edge password manager and can be used to log into websites seamlessly using autofill. Microsoft has made this enterprise-grade solution available to customers at no additional cost. How it works and the user experience Administrators have to manage the feature via the Microsoft Edge management service within the Microsoft 365 admin center. From there, they can add, update, and revoke credentials for specific user groups through configuration policies. Once an admin has set it up and shared passwords with users, the users will see the passwords in their Edge password manager and can be used with autofill on corresponding websites. The passwords are tied to work profiles in Edge on managed Windows devices to limit their misuse. Further boosting security, the shared passwords cannot actually be viewed, edited, or deleted (unless the website allows), or exported from the password manager. This is a good addition for security because if an unauthorized user gains physical access to the computer, they cannot learn what the password is. Administrators reading this do need to be aware of an important caveat related to developer tools. A motivated user who wants to reveal the passwords can do so by digging into the developer tools, for this reason, you should consider restricting access to the developer tools by configuring the DeveloperToolsAvailability policy. The underlying security and encryption Microsoft’s new secure passwords feature has been built using the Information Protection SDK. The passwords are encrypted and the encryption is tied to Entra identities which lets organizations enforce them without manual key management. The decryption of the passwords takes place at runtime using the same SDK, validating the user’s identity. Availability and getting started Secure password deployment is available through the Edge management service in the Microsoft 365 admin center. Once in the admin center, you should choose an existing configuration policy or create a new one. Inside the policy, go to the Customization Settings tab and then to the Secure password deployment page. To use this feature you must have a Microsoft 365 Business Premium, E3, or E5 subscription. The feature also requires the Edge admin or Global admin role. Source: Microsoft
    • Is it though?  I built a new rig a few months ago and it was literally impossible to get one without RGB, but within 10 minutes of setting it up, I turned all that crap off.  It was REALLY distracting, and who needs additional heat INSIDE a PC? It's popular on YouTube for sure, it's neat looking and whatnot, but it's about as practical as a coffee cup with a hole in it. As for the price, a non-enthusiast would just see something priced way above what they can get from a retailer brand new...
    • RollBack Rx Pro 12.9 Build 2710971022 by Razvan Serea RollBack Rx is a robust system restore utility that enables home users and IT professionals to easily restore a PC to a time before certain events occurred. In essence, it turns your PC into a Instant Time Machine. Regardless of what happens to your PC your can quickly and easily restore your PC to a previous time. Making it easy to rescue you from any PC disaster - saving time, money and PC trouble. Windows System Restore only restores Windows system files and some program files. In addition, if Windows crashes to a point were Windows itself can not boot up (ie. BSOD*) you would not be able to access your Windows System Restore points. In contrast, the RollBack Rx technology works at the sector level of the hard drive and restores everything! - right down to the last byte of data. It sits below Windows. So even if Windows crashes, there’s a sub-console (mini OS) that boots prior to windows. This allows you to access Rollback Rx and go back to a point in time when your system was working trouble-free. Key Features Go back to any previous point in time within seconds. Go back minutes, hours, days, weeks, or even months to any previous snapshot. Does not affect computer performance, uses minimal system resources. Supports unlimited snapshots. Creates a complete system snapshot without having to restart the system. Reverse any system crash within seconds (even if Windows cannot startup). Back out of any failed program, OS updates, and botched updates. Recover from any malware or virus attack within seconds. Works with VMWare and Virtual Machines, both as a host or within the virtual machine as a client. Supports Multi-boot, Multi OS workstations. Lock snapshots to prevent deletion. Intuitive GUI based snapshot manager. Explore, browse, and retrieve files and folders from any snapshot. Drag and drop them into your active system. Roll backwards as well as forwards to any available system snapshot. Allows users to safely test any software. Fast, 100% complete uninstaller. Retrieve files from a crashed PC, even if Windows cannot boot. Access control – manage levels of multiple user and administrative privileges. Automatically schedule snapshots to be taken on a fixed schedule or upon execution of specific files (ie. setup.exe) as well as manually. 256 bit AES snapshot encryption. Prevent unauthorized data theft in case of a stolen laptop. Group Management and Enterprise Network Administration Control (FREE utility). Comes with Stealth Mode where you can hide the RollBack Rx tray icon and splash screen (seen during bootup) Change the startup hotkey for sub-console access (default is HOME). Built-in snapshot defragmenter which will optimize system resources and recover free space. Option to keep files and folders unchanged when you roll-back. Advanced setup configuration wizard for system administrators which will set deployment options and predefined RollBack Rx settings. Offers detailed program operation logging. Supports all industry-standard deployment options including silent installations and pre-installation configuration. Explore RollBack Rx Pro with a 14-day trial, fully functional on Windows 11, 10, 8, and Windows 7 SP1** (32 and 64-bit). RollBack Rx Pro 12.9 Build 2710971022 changelog: General Add PnpLockdown in shieldm.inf Fix registry exclusion problem in Windows 11 24H2 release Add detailed logging for file filter driver Add detailed logging for Windows update Add time stamp to kernel drivers Change kernel driver and Win32 IRP structure Other small bug fixes / typos reported through tech support Endpoint Manager Add client report dashboard Add sound effect when receiving a EPM message. Keep EPM message history Fix bug that oversized Windows symbol files cannot be downloaded Download: RollBack Rx Pro 12.9 | 61.0 MB (Shareware) View: RollBack Rx Home Page Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Universal Media Server 14.12.1 by Razvan Serea Universal Media Server is a DLNA-compliant UPnP Media Server. UMS was started by SubJunk, an official developer of PMS, in order to ensure greater stability and file-compatibility. The program streams or transcodes many different media formats with little or no configuration. It is powered by MEncoder, FFmpeg, tsMuxeR, AviSynth, MediaInfo and more, which combine to offer support for a wide range of media formats. Because it is written in Java, Universal Media Server supports all major operating systems, with versions for Windows, Linux and Mac OS X. To see a comparison of popular media servers, click here. Universal Media Server 14.12.1 changelog: General Added status page to readme Fixed videos not being marked as fully played (#5373) (thanks, @Fredo1650!) Fixed adding YouTube channels from handle URLs (URLs with @ in them) Fixed handling special characters on Linux (#5100) (thanks, @LaTeteDansLesEtoiles!) Fixed directory browsing crash (#5189) (thanks, @jt-gilkeson!) Fixed FFmpeg on Linux x86_64 and arm64 (#5465) (thanks, @KanjiMonster!) Fixed logspam like "Could not hydrate device or its services from descriptor" (#5292) (thanks, MTOakey!) Fixed broken YouTube video playback Fixed web interface E2E testing on CI using outdated code because of overeager caching Fixed broken video playback when burning subtitles to H.265 via FFmpeg (#5486) Improved logging Translation updates via Crowdin Chinese (Simplified) (59%) (thanks, 無情天!) Dutch (41%) (thanks, Matthias!) Hungarian (86%) (thanks, Zoltán Rózsa!) Japanese (69%) (thanks, Yukihuru!) Download: Universal Media Server 14.12.1 | 203.0 MB (Open Source) Download: Other operating systems View: Universal Media Server Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • You sign your rights to reddit when you write on their platform. Free labour for them to make money. The AI companies should also take advantage of that free labour.
  • Recent Achievements

    • Week One Done
      somar86 earned a badge
      Week One Done
    • One Month Later
      somar86 earned a badge
      One Month Later
    • Apprentice
      Adrian Williams went up a rank
      Apprentice
    • Reacting Well
      BashOrgRu earned a badge
      Reacting Well
    • Collaborator
      CHUNWEI earned a badge
      Collaborator
  • Popular Contributors

    1. 1
      +primortal
      510
    2. 2
      ATLien_0
      260
    3. 3
      +Edouard
      190
    4. 4
      +FloatingFatMan
      175
    5. 5
      snowy owl
      133
  • Tell a friend

    Love Neowin? Tell a friend!