In-Depth knowlenge about how IIS manages CAL Licences

TheMSsForum.com: The Microsoft Software Forum

Hi everybody, here is my problem:

I have one Intranet site which is totally programmed in ASP. I used to
use the NT_AUTHENTICATION on the only site this Intranet hosts. After
the launch of an internal communication in our enterprise, everybody
clicked a linked and it bring the server down under the message "Users
exceeded the number of CAL" (which is 20 in our case).

I reprogrammed the whole site so it uses NT_AUTH only when the user
first visit the site to tie a session object with the user's account on
the domain... The following schema will help to understand.

First Visit? (launch of the SESSION_ONSTART event in asp/global.asa)
(ANONYMOUS)
-> redirection to the folder /NT_AUTH/ (NT AUTHENTICATION)
-> the page populates the Session("lan_id") field with the client
account name on our domain
-> it then redirect to the original page requested (ANONYMOUS)

In Perfmon, the object WEB SERVICE gives us information about the
number of CAL for AUTHENTICATED users per web site.

First of all, I can't have a detail of CAL usage per website, it all
gives 0. I have only the total (which still very high considering that
the CAL should be used only one or two seconds in the first initial
launch of a page).

Also, the number of Current NonAnonymous Users is always 0, the number
of Current Anonymous users can be 2-3 and 14 CAL can be used at the
same time...

How can we explain this?

Thanks all for your lights!
Top

Re: In-Depth knowlenge about how IIS manages CAL Licences by David

David
Mon Nov 27 20:31:06 CST 2006

Actually, IIS does not deal with, know about, nor manage CAL. Those
calculations are all done at the TCP-level within the Windows
networking stack for any network connection, and it is not
IIS-specific.

Now, I am not authoritative on licensing - check with your MS Account
rep. But, I think your issues are supposed to exist because you're not
licensed for what you are doing and the networking stack detects it.

Your reprogramming doesn't work because of two reasons:
1. that's not how authentication works
2. if it does work, then the Windows CAL validation is completely
useless -- it would allow unlimited number of users to connect by
purchasing only one CAL.

Integrated Authentication is connection-based authentication protocol.
So, the user ends up using an authenticated connection (and counted by
the Windows network stack) when you do the redirect on first visit.
When you redirect back to anonymous authentication for the remainder of
the web app, that authenticated connection stays open and hence counted
by the Windows network stack.

I think the correct solution is for you to acquire the necessary CAL to
do what you need. Either purchase a per-server CAL that allows
unlimited users per-server, or purchase more user CAL for simultaneous
usage by users. This is precisely when you are legally supposed to use
and purchase CALs, so you should do so, instead of trying to skirt
around things...


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


matdumsa@gmail.com wrote:
> Hi everybody, here is my problem:
>
> I have one Intranet site which is totally programmed in ASP. I used to
> use the NT_AUTHENTICATION on the only site this Intranet hosts. After
> the launch of an internal communication in our enterprise, everybody
> clicked a linked and it bring the server down under the message "Users
> exceeded the number of CAL" (which is 20 in our case).
>
> I reprogrammed the whole site so it uses NT_AUTH only when the user
> first visit the site to tie a session object with the user's account on
> the domain... The following schema will help to understand.
>
> First Visit? (launch of the SESSION_ONSTART event in asp/global.asa)
> (ANONYMOUS)
> -> redirection to the folder /NT_AUTH/ (NT AUTHENTICATION)
> -> the page populates the Session("lan_id") field with the client
> account name on our domain
> -> it then redirect to the original page requested (ANONYMOUS)
>
> In Perfmon, the object WEB SERVICE gives us information about the
> number of CAL for AUTHENTICATED users per web site.
>
> First of all, I can't have a detail of CAL usage per website, it all
> gives 0. I have only the total (which still very high considering that
> the CAL should be used only one or two seconds in the first initial
> launch of a page).
>
> Also, the number of Current NonAnonymous Users is always 0, the number
> of Current Anonymous users can be 2-3 and 14 CAL can be used at the
> same time...
>
> How can we explain this?
>
> Thanks all for your lights!

Top