Microsoft Licensing - Citrix MetaFrame XP

It's necessary to license the underlying Microsoft operating system components in a MetaFrame XP environments.

It's necessary to license the underlying Microsoft operating system components in a MetaFrame XP environments. Before we study the technical details of Microsoft's licensing and how it works, let's review their policy and which licenses are required in different scenarios.

Microsoft Licensing Requirements

The Microsoft licenses required for your MetaFrame XP environment are conceptually identical whether your servers are running on Terminal Server 4.0 or Windows 2000 platforms. Because of this, we can look at the two platforms together. Also, it is important to keep in mind that all Microsoft licenses are automatically backwards compatible, so when a Windows NT 4.0 Workstation license is required, a Windows 2000 Professional license will be sufficient.

Microsoft licenses can be divided into three groups:

  • Licenses required for each server.
  • Licenses required for each unique client device.
  • Internet Connector licenses.

The actual Microsoft licenses required for your environment will be a combination of server and client licenses.

Licenses Required for Each Terminal Server

Microsoft requires one license for each server in a terminal services environment. That license is known as a "Server License."

License 1. Windows Server License

Each server that runs Terminal Services requires its own server license. This is the license that allows you to run the actual server itself. Windows 2000 servers require a Windows 2000 Server license. Windows NT 4.0 Terminal Server Edition servers require a Windows NT 4.0 Terminal Server Edition server license.

Licenses Required for Each Client Device

All Microsoft client device licensing is done "per seat." Microsoft defines one "seat" as a unique hardware device used to access a server. This means that if you have two computers and you access the same server from each of them, you have two different seats and need a separate "per seat" license for each device. This applies even if you never use both devices at the same time. In Terminal Services or Citrix MetaFrame environments, each seat requires both of the following licenses:

  • Server Client Access License.
  • Terminal Server Client Access License.

License 1. Windows Server Client Access License (Server CAL)

The server client access license (CAL) is the license that allows a client device to access a Microsoft Windows server over the network. As with other Microsoft licenses, accessing Windows 2000 servers requires a Windows 2000 Server or Core CAL, and accessing Windows NT 4.0 Servers requires a Windows NT 4.0 or a BackOffice 4.5 CAL.

License 2. Terminal Services Client Access License (TS CAL)

In addition to the server CAL, each client device that connects via a remote Windows session to a Windows Terminal Services-enabled server needs to have a Terminal Services Client Access License (TS CAL). This license is more expensive then the regular server CAL. Microsoft created this TS CAL because they felt that if you were experiencing the full Windows environment (as through a Terminal Services or MetaFrame ICA session) then you should be paying for the full Windows environment.

Since Windows NT, 2000, and XP Professional already give you the right to run the Windows professional desktop environment, client devices running these operating systems have the ability to obtain a "free" TS CAL. You only need to purchase a TS CAL for every client device that runs an operating system that is a lower or older version than the operating system of your Terminal Server.

For example, if your client device is running Windows 2000 Professional, Server, or Advanced Server, then you do not need to purchase a TS CAL to connect to a Windows 2000 Terminal Server because your Windows 2000 client device has the right to obtain a free Windows 2000 TS CAL. Also, since these licenses are backwards compatible, the Windows 2000 TS CAL would also apply if you were using a Windows XP Professional client to connect to a Windows 2000 Terminal Server.

If your client device is running Windows NT 4.0 Workstation, you would not need to purchase a Windows NT 4.0 TS CAL to connect to Windows NT 4.0 Terminal Servers, but you would need a Windows NT 4.0 to Windows 2000 TS CAL upgrade to connect to Windows 2000 Terminal Servers. This is because each TS CAL is version-specific. The free TS CAL that is included with Windows NT 4.0 is a version 4.0 of the TS CAL, and it is only valid for connecting to other NT 4.0 Terminal Servers.

Essentially, if you have the license to run the operating system locally on your client device then you also automatically have the right to run that same operating system via remote sessions due to the free TS CAL.

In the event that you do not have a full Windows NT or 2000 license for your client device (such as if your client device is running Windows CE, 95, 98, ME, UNIX, Macintosh, etc.), you need to purchase the appropriate TS CAL for that client device in order to access MetaFrame XP servers.

For Windows 2000 servers, client devices only need TS CALs if Terminal Services is configured to operate in application mode. For administration mode, only two concurrent connections are allowed; you do not need TS CALs for those clients, regardless of the client device platform.

(Optional) Work-at-Home TS CAL

By Microsoft's definition, you need a separate TS CAL for each client device. If you access MetaFrame XP sessions from a computer on your desk at the office and from a computer at home, you need to have two separate TS CAL licenses (one for each device). Some of the Microsoft licensing agreements provide work at home licenses, which are basically additional, cheap TS CALs for these scenarios. The terms for use of these work at home TS CALs change regularly, but it is worth checking into whether your agreement has a provision for these before you spend a lot of money to provide home access to business applications.

Internet Connector Licenses

There is one additional type of Microsoft license that is required in some situations where Terminal Servers provide applications via the Internet. This license is known as a "Terminal Services Internet Connector License." We'll this license later in this chapter.

How Microsoft Licenses Work

Windows NT 4.0 Terminal Server Edition uses the "honor system" for tracking licenses. This system works in the same way that licensing has worked for the past twenty years. While you are legally supposed to purchase the correct licenses, there is nothing technically stopping you from connecting more users than you paid for. While the honor system has traditionally worked well for system administrators and thieves, it has not worked well for Microsoft shareholders.

In Terminal Services for Windows 2000, Microsoft introduced the "Terminal Services Licensing Service"-a service that runs on one or more servers on your network. This TS licensing service is responsible for monitoring, distributing, and enforcing TS CAL usage. Microsoft implemented this licensing architecture as a "service to their customers" who were "deeply concerned that they might accidentally forget to pay for a license or two, every once in awhile." In MetaFrame XP environments running on Windows 2000 platforms, there will be no "accidentally forgetting" to buy all the needed licenses with this new licensing service structure.

If you decide that you would rather not build this TS licensing infrastructure and that you want to continue using the honor system, you will change your mind 91 days after you start using Windows 2000 Terminal Services. At that point everything will stop working until you install and activate a TS licensing server.

Windows 2000 License Components

There are four main technical components that make up the Terminal Services licensing service infrastructure in Windows 2000:

  • Client devices.
  • Windows 2000 Terminal Servers.
  • Terminal Services licensing servers.
  • Microsoft license clearinghouse.


Figure 14.1: Microsoft licensing components

Let's take a look at the licensing-related roles of each of the four components.

Client Devices

Each client device that connects to a Windows 2000 server via Terminal Services must have a valid Terminal Services Client Access License (TS CAL). The TS CAL is stored locally on the client device in the form of a secure token, similar to a digital certificate.

All client devices must obtain their TS CALs from a TS Licensing Server.

Windows 2000 Terminal Server

Windows 2000 Terminal Services plays a large role in the licensing process. A Windows 2000 Terminal Server operating in Application Mode will check to make sure that every client device that connects to it to run a session has a valid TS CAL. If not, the Terminal Server will contact a Terminal Services Licensing Server to assign a TS CAL to the client device.

Terminal Services License Server

A Terminal Services License Server is a Windows 2000 server that is running the Terminal Services Licensing (TSL) service. The TS licensing service can be installed on any Windows 2000 server. It does not need to be installed on a Windows 2000 server that has Terminal Services enabled. Many companies choose a standard file server or domain controller to be their TS Licensing server.

TS license servers maintain the inventory of TS CALs. These license servers then distribute these licenses to client devices the first time they log on to a Terminal Server. If you purchase additional TS CALs for your growing environment, you add them to the license database on the TS Licensing server. That way, the licenses are ready to be distributed to end-user client devices.

Every Windows 2000 TS Licensing Server has a built-in unlimited supply of TS CALs that can only be granted to Windows 2000 or Windows XP Professional client devices. For any other client platform, including Mac, UNIX, Linux, Windows 9x, and Windows XP Home Edition, a TS CAL needs to be purchased for each device.

Microsoft License Clearinghouse and Certificate Authority

The Microsoft License Clearinghouse is a big server in the sky maintained by Microsoft. This clearinghouse is used to activate TS License Servers and TS CALs. TS license servers and the licenses they maintain must be activated via this clearinghouse so that Microsoft can make sure that no licenses are stolen or pirated. Before a TS license server is activated, it will still function; however, the TS CAL digital certificates that it distributes will be temporary, expiring after 90 days. These temporary CALs cannot be renewed until the license server has been activated by the clearinghouse. This clearinghouse is accessed using the Terminal Services Licensing Wizard utility via the Internet, a web page, fax, or telephone.

The Windows 2000 Licensing Process

Now that we've looked at the components that make up the Windows 2000 Terminal Services licensing environment, let's take a look at how the entire licensing process works. Figure 14.2 diagrams the high-level process described in the following steps. This example starts from the beginning, when you first purchase the licenses.

Figure 14.2: Microsoft licensing process

  1. Terminal Server CALs are purchased and installed into the license database on the TS Licensing Server. The TS CALs are then activated via the Microsoft License clearinghouse. The activated licenses remain on the license server, waiting for assignment to client devices.
  2. A new Windows 95 client successfully authenticates and establishes an ICA session with the Terminal Server running MetaFrame XP.
  3. The Terminal Server contacts the licensing server to obtain a TS CAL for the client device.
  4. If the licensing server has enough licenses, it grants one to the client. The license server's available license count is decremented by one, and the TS CAL is sent down to the client device itself. The TS CAL is physically maintained on the client device in the form of a digital certificate.
  5. For future sessions, the Windows 95 client device will already have the TS CAL certificate which it will present to the Terminal Server when the session is started. When that happens, the Terminal Server does not contact the license server.

The Windows 2000 Terminal Services Licensing Service

The TS Licensing Service forms the core of Microsoft's Windows 2000 TS license tracking and enforcement program. This service is responsible for managing the distribution of the digital certificates representing TS CALs and TS Internet Connector Licenses. Interestingly, this service is not responsible for determining whether or not a particular computer needs a license; that determination is made by the Terminal Server itself. The TS Licensing Service is invoked only after a Terminal Server requests a license.

TS Licensing Service Server Location

The Terminal Services licensing service is 100% separate from the actual Terminal Services components that allow users to run remote sessions. The TS licensing service must be installed on a Windows 2000 server, but that server does not need to be running Terminal Services. The type of Windows 2000 server that the TS licensing service is installed on depends upon the domain configuration, as shown in Figure 14.3 (facing page).

Domain: TS Licensing Server Location

  • Active Directory: W2K domain controller for automatic discovery, Any W2K server for manual discovery
  • NT 4 Domain w/ Windows 2000 servers: W2K member server
  • Workgroup (non-domain) environment: Any W2K server

Figure 14.3: Valid license server locations

Regardless of the location of the TS licensing server, there is no need to build a dedicated server. The TS licensing service can run on any server without adversely affecting performance, and does not need to be installed on a server that has access to the Internet. The only time that Internet access is needed is for the activation of the server or the licenses, although that Internet access is required by the computer that you are activating the licenses from, not the TS license server itself. The TS licensing service does not need to access the Internet every time it assigns a TS CAL to a client device.

TS Licensing Service Impact to Existing Servers

The TS licensing service does not require many resources from the server on which it is installed. It uses no CPU time except for when a license is requested or a Terminal Server pings it. Memory utilization is always under 10 MB, even for large organizations. The license database, which is stored on the server running the TS licensing service, requires less than 1k of hard drive space per client license. All this means that the TS licensing service can be installed on a busy domain controller or Terminal Server without adversely affecting the performance of that server.

TS Licensing Scope for Active Directory Environments

In Windows 2000 Active Directory environments, the TS licensing service will register itself with a domain controller. This will provide a method for Terminal Servers to use the directory to find license servers. When you perform the actual license service installation in such an environment, you must decide in what "scope" you want the licensing server to operate. There are two options.

  • Domain scope.
  • Enterprise scope.

Domain Scope

In domain scope, TS licensing servers only respond to license requests from the Terminal Servers that are in the same Active Directory domain. If an Active Directory domain crosses multiple Active Directory sites, then the TS licensing server will respond to requests from multiple sites.

This is useful if there are multiple business units on the same network that are partitioned into different domains. With a domain scope, you can prevent your license server from providing licenses to other domains. This is also the mode that you should use if your license servers are member servers in a Windows NT 4.0 domain.

When the TS licensing service is installed on a Windows 2000 server that is a member server in a Windows 2000 domain, the license server will register itself with a domain controller, allowing for Terminal Services to find licensing services via that domain controller.

Enterprise Scope

Enterprise scope TS licensing servers respond to license requests from Terminal Servers that are in the same Active Directory site as they are. If that Active Directory site is comprised of several domains, then the license servers will provide licenses to clients from several domains.

Upon service start, an enterprise scope TS licensing server will register itself with the Active Directory via a domain controller for its domain. This will allow Terminal Servers from any domain to be able to locate it. The TS licensing server will create an Active Directory object called "TS-Licensing." The FQDN of this object is CN=TS-Enterprise-License-Server,CN=YourSite, CN=Configuration,DC=YourDomain, where YourSite is the Active Directory site and YourDomain is the Active Directory domain.

Terminal Server Discovery of TS Licensing Servers

Merely installing TS license servers in your network does not necessarily mean that they will work properly. You also need to ensure that there is a way for the Terminal Servers to find the TS license servers when they need a license for a client.

License server "discovery" is the process by which Windows 2000 Terminal Servers locate and connect to TS licensing servers. As soon as Terminal Services is enabled in Application Mode on a Windows 2000 server, the server will immediately begin the discovery process. License server discovery can happen in one of three ways, depending on which of the following environments the Terminal Server finds itself in:

  • Windows NT 4 domain or workgroup.
  • Windows 2000 domain, with the TS license servers operating in domain mode.
  • Windows 2000 domain, with the TS license servers operating in enterprise mode.

Discovery in Windows NT 4 Domains or Workgroup Environments

If the Windows 2000 Terminal Server is in a Windows NT 4 domain or a workgroup, it will send out a NetBIOS broadcast on the local subnet to the "\TermServLicensing" named pipe. All TS license servers on the same subnet will reply. The Terminal Server will record the names of the servers that replied and randomly pick one to use as its licensing server by opening a "\HydraLs" named pipe to that server.

Once a TS license server is found, the Terminal Server will periodically verify that it exists. (See Figure 14.4.) If the Terminal Server "loses" the TS license server because that license server did not reply to a verification by the Terminal Server, the Terminal Server will attempt to connect to one of the other TS licensing servers that responded during the initial discovery. If no connection can be made to a license server, the Terminal Server will attempt to find a license server by starting the discovery process over again.

  • NT 4 domain or workgroup
    • License server verified to exist if no activity every 120 min
    • If no license server is found, discovery process occurs every15 min
  • Windows 2000 - Domain
    • License server verified to exist if no activity every 120 min
    • If no license server is found, discovery process occurs every 15 min
  • Windows 2000 - Enterprise
    • License server verified to exist if no activity every 60 min
    • If no license server is found, discovery process occurs every 60 min

Figure 14.4: Microsoft License Discovery

Discovery in Windows 2000 domain Environments

If the Windows 2000 Terminal Server is a member of a Windows 2000 Active Directory domain, the Terminal Server will use two methods to try to find the TS licensing server.

Via the first method, a Terminal Server will query a domain controller for the "TS-Licensing" object. If that object exists, that means that a TS license server has been configured and is operating with a domain scope.

Next, the Terminal Server will query the domain controller for a list of servers whose names are listed in that domain object. It will then randomly pick a server from the list and try to open the "\TermServLicensing" named pipe connection. If that is successful, the Terminal Server tries to open a "\HydraLs" named pipe through which licenses can be requested from the TS licensing server.

If that connection fails, the Terminal Server will pick another server from the list and try again. If all servers fail, then the Terminal Server will connect to another domain controller and start the whole process over again.

Meanwhile, a Terminal Server in a Windows 2000 domain attempts to find an enterprise license server by reading the value of the "TS-Enterprise-License Server" Active Directory object. If that object exists, the Terminal Server will try to connect to the TS license server specified by that AD object.

If the Terminal Server establishes a connection with two different TS licensing servers-one at the domain level and one at the enterprise level, the domain level license server will take precedence. However, if that server runs out of licenses and cannot find any more among other domain-level license servers, the Terminal Server will try to obtain licenses from the enterprise-level license server.

In all cases, after a Terminal Server finds a TS licensing server, the Terminal Server will use that specific TS licensing server exclusively until that server fails to respond to a request, forcing the Terminal Server to connect to another license server.

When a Terminal Server successfully establishes a connection with a TS license server, the Terminal Server will perform a connection test to verify that the TS license server is still there. The timing of that test varies with the type of license server found, as shown in Figure 14.4. If that test fails and the Terminal Server cannot connect to any of the TS license servers it discovered the first time around, the discovery process is restarted.

Manually Specifying Default License Servers

If a TS licensing server is located or configured in such a way that a Terminal Server is not able to automatically discover it with the aforementioned methods, it is possible to manually configure the Terminal Server to connect to a specific TS licensing server. By doing this, license servers can be located in different subnets, domains, or sites than the Terminal Servers.

To manually specify the location of a TS licensing sever, you must add the NetBIOS name of the licensing server to the registry of each Terminal Server.

Key:HKLM\SYSTEM\CurrentControlSet\Services\TermService \Parameters
Value: DefaultLicenseServer
Type: REG_SZ
Data: servername

Note that this entry must be a NetBIOS server name. IP addresses will not work. (If NetBIOS name resolution is not working in your environment, you can always add an lmhosts file to the Terminal Server with an entry for the TS licensing server.)


Figure 14.5: Microsoft License Server Discovery Process

You can even use this manual method of specifying a license server as a way to run your license server on a non-domain controller in Active Directory environments. This is useful in many situations because the people who run the Terminal Servers are not always allowed to add services to domain controllers.

Adding this registry key will override the natural discovery process. If the specified license server is not available, the Terminal Server will not try to discover another license server on its own.

Many organizations make use of this manual configuration for accounting purposes, allowing different departments to purchase and maintain different pools of TS CALs.

Installing the TS Licensing Service

The Terminal Services Licensing Service can be installed on any Windows 2000 server. This installation can be done at the time of the OS installation or at any time after that via the Control Panel (Control Panel | Add Remove Programs | Windows Components | Terminal Services Licensing Service).

When the installation routine begins, it will ask if you want to setup the license server in "Enterprise" or "Domain" scope for license servers in Active Directory environments.

After the TS licensing service is installed on a server, it must be activated by the Microsoft clearinghouse via the Terminal Services Licensing tool. This activation gives the license server the digital certificate it will use to accept and activate TS CALs. Activation also enables the license server to begin issuing the "free" TS CALs to Windows 2000 and Windows XP Professional clients.

The license server activation is fairly straightforward (Start | Programs | Administrative Tools | Terminal Services Licensing Tool | Right click on server | Activate). Activation can be done directly via the Internet or via a web page, fax, or telephone call. If you run the licensing tool on a computer other than the license server, the computer that you are using needs access to the Internet-not the license server.

Install and activate a TS licensing server within 90 days of using Terminal Services. If a Terminal Server can't find an activated license server after it's been used for 90 days, the Terminal Server will refuse connections to clients that do not have valid TS CALs.

If an activated license server ever depletes its inventory of TS CALs, it will issue 90 day temporary CALs. These temporary licenses are only valid for 90 days. They can only be replaced by a permanent license. They cannot be replaced by another 90-day temporary license. Temporary TS CALs are only issued to clients that require TS CALs to be purchased. An activated TS license server can never run out of the "free" TS CALs for qualifying clients such as Windows 2000 and Windows XP Professional.

Managing TS Licensing Servers

Managing Windows 2000 Terminal Services license servers should not take much of your time. There are only two tasks you need to know about:

  • Adding new licenses to the license pool.
  • Administering the license server.

Adding Licenses to a TS License Server

All newly-purchased Terminal Services Client Access Licensing must be installed onto a TS license server. These licenses are purchased in the same manner they have always been. Traditionally, if you bought a Client Access License pack, that pack only contained a license agreement-a useless piece of paper. Now, when you buy a Windows 2000 TS CAL license pack, it comes with a 25 character license code. This code must be entered into the TS Licensing Wizard for the TS licensing servers. If you buy licenses through a volume license agreement such as Select or an Enterprise Agreement, you will need to enter that agreement number into the Licensing Wizard when you add the licenses.

After the licenses have been installed, you need to activate them. You can activate the licenses via the same four methods you use to activate the license server (Internet, phone, fax, or email). Once activated, the licenses are ready to be distributed to client devices. Any clients that previously received the 90-day temporary licenses will be upgraded to full licenses the next time they connect.

Administering License Servers

The TS licensing service is a "set it and forget it" kind of service. Theoretically, it only needs to be administered when new licenses are purchased or old licenses are removed.

However, there are times when it would be convenient to administer TS licensing servers remotely. For technical reasons, the TS Licensing Tool cannot be run via a remote Terminal Services session. However, this tool can be executed locally on any Windows 2000 computer and used to connect back to one or more TS license servers. In order to do this, copy the licmgr.exe and the lrwizdll.dll files from the \system32\ directory of the TS licensing server to the \system32\ directory of the computer you would like to use. Run licmgr.exe to use the tool.

As was mentioned previously, running the tool in this manner can be helpful when activating TS licensing servers or TS CAL packs. This is because during the activation, the machine that is running the TS Licensing Tool needs access to the Internet-not the actual license server itself. This works well in scenarios in which the Terminal Servers are not connected to the Internet but there are certain administrator workstations connected to the Internet and the internal network.

Maintaining the TS license servers is simple. One TS licensing console can connect to all of the license servers in your environment, facilitating centralized administration.

If you ever lose your TS license server, you will need to contact Microsoft to have your licenses re-issued. (This can be prevented if your license server is backed up properly. See Chapter 17 for details.)

You can generate a report that shows all of the licenses that have been issued, including temporary ones, with the "lsreport" tool available in the Windows 2000 Server Resource Kit.

Client Device License Acquisition Process

The process by which a client device is granted a Terminal Services Client Access License is fairly complex, but interesting nonetheless. It is important that you have a good understanding of how the client device, Terminal Server, and license server all work together.

Before we sdelve into the details of the client device license acquisition process, there is an important technical note to cover.

In order for the licensing to work as described here, you must have hotfix Q287687 or Windows 2000 Service Pack 3 installed on all of your Terminal Servers and your TS licensing servers. Ideally, this hotfix or Service Pack 3 will be installed before any users ever connect to the server.

We'll talk about how horrible things would be without this hotfix or Service Pack later in this chapter since the changes that this hotfix applies are more relevant once we study how the process works. For now, know that hotfix Q287687 or Service Pack 3 is a good thing. Always.

License Distribution to New, Unlicensed Client Devices

When a client device connects to a Windows 2000 Terminal Server, the server checks to make sure that the client device has a TS CAL (in the form of a digital certificate). If the client has a valid TS CAL, it is allowed to connect to the Terminal Server. In this case, there is no need for the Terminal Server to contact the license server because the client already has a TS CAL.

If the client device does not present a valid TS CAL, the Terminal Server will connect to the license server to obtain one. The license server will send a digital certificate for a temporary 90-day TS CAL to the Terminal Server, which passes it down to the client.

In the event that the license server does not respond to the Terminal Server, the Terminal Server will try to connect to one of the other license servers from its internal list of servers that was built as a result of the license server discovery process. If it can't connect to a license server, it will start the license server discovery process again. If this happens, because the client device does not have a TS CAL, the Terminal Server will be forced to deny the connection. The only exception to this is if the Terminal Server has been in use for less than 90 days. If so, the server will ignore the fact that it cannot find a license server. All of this action takes place a soon as the connection is made-before the user even authenticates!

After the user successfully authenticates, the Terminal Server will again contact the license server. This time the Terminal Server will tell the license server that the TS CAL that was sent to the user should be marked as "valid." If the user did not successfully authenticate, (i.e. the connection was from an inappropriate user), the Terminal Server will not contact the license server, and the license that was sent out will not be marked as "valid."

The next time that client device connects, its 90-day temporary TS CAL is upgraded to a full TS CAL. The Terminal Server notices that the client device has presented a temporary TS CAL certificate upon connection. The Terminal Server contacts the license server and requests a digital certificate for a full TS CAL which it then passes on to the client device. If, for some reason, all of the license servers have depleted their inventories of TS CALs, the client device will keep its temporary 90-day TS CAL certificate. As long as the 90-day certificate has not expired, the client device can still connect, even with no licenses available on any license servers.

The key to remember with the TS CAL certificate assignment process is that an unlicensed client device will always be granted a temporary 90-day TS CAL at the time of its first connection. Only after successful authentication and a second logon is the temporary TS CAL upgraded to a full TS CAL. This two-stage licensing process is used to ensure that TS CALs are only assigned to authenticated users. Previously (before hotfix 287687 or Windows 2000 Service Pack 3) any user that connected was assigned a full TS CAL, even if they did not belong on the system. This was because the full TS CAL certificate was granted at connection time, before the logon screen even popped up. If a user thought, "Oops, I don't belong on this system!" it was too late. Their client device had already received a full TS CAL certificate, even if the administrator never meant for them to access the system. This often lead to license servers running out of TS CALs.

TS CAL License Certificate Storage on Client Devices

When a client device receives a TS CAL from a Terminal Server, it receives it in the form of a digital certificate from a license server. This is why you have to activate the license server with the Microsoft clearinghouse (a certificate authority). This digital certificate is an actual certificate copied to the client device (even with Windows CE). Microsoft has chosen to do this because Terminal Services client devices are licensed separately for each physical client device. The idea is that once a client device connects to a Terminal Server, a TS CAL digital certificate is transferred from the license server to the client device. The license server loses one of its licenses from inventory, and the client device has the digital certificate that it can present to any Windows 2000 Terminal Server for future logons.

This digital certificate is stored in different places in different operating systems. For example, on 32-bit Windows platforms, the TS CAL digital certificate is stored in the registry, at HKLM\Software\Microsoft\MSLicensing \Store\License00x. In the event that the client device has no local storage, its TS CAL certificate is stored on the Terminal Server.

When this license transfer plan was created, the security gurus and bankers at Microsoft thought it was a fantastic idea, because each client device that connected (even once) would be forced to take a permanent TS CAL license (just like the license agreement mandated). While this has always been the way that licensing was supposed to work, there was previously no way for Microsoft to enforce it, and practically every organization that used Terminal Server was under licensed.

Anyone who has been in the computer industry for more than five minutes knows that this license transfer scheme is a horrible idea, mainly because client devices tend to break. Windows-based terminals constantly have their ROMs reflashed. Operating systems are reinstalled on client PCs. Whenever this happens, the TS CAL digital certificate stored on the client device is lost forever because the TS CAL doesn't exist on the license server after it's transferred to a client device. When that client connects back to a Terminal Server, it has no digital certificate to present. The server thinks that it has no license, and so it instructs the license server to use a new TS CAL in the form of a new digital certificate to send down to the client device. In effect, that one client device ends up consuming two TS CALs-the old one that was lost and the new one that was just assigned. If the client device is reset again then a third TS CAL would be used. The only way to fix this is to call the Microsoft licensing clearinghouse (telephone only in this case) and have them release the duplicate TS CAL licenses. (It's kind of funny. When you call them, Microsoft always seems surprised, like they had never heard of this before, and that they would do it "just this once.")

Clearly, this gets very old. The fix to this is the other major component of hotfix Q287687 or Windows 2000 Service Pack 3. With the hotfix installed on your Terminal Servers and license servers, the full TS CAL certificates are no longer permanent (non-expiring). With the hotfix applied, when a Terminal Server requests a TS CAL from the license server for a client device, a full TS CAL certificate is granted that has an expiration date randomly selected between 52 and 89 days from the current date. The license server keeps track of this expiration date and it is also imbedded into the digital certificate that represents the actual license that is passed down to the client device.

Then, every time the client device connects to a Terminal Server, the client device presents its TS CAL certificate to the server. The server checks not only whether the client device has a valid certificate, but also the expiration date of that certificate. If the expiration date of the certificate is within 7 days of the current date, the Terminal Server connects to the license server to renew the license for another random period of 52 to 89 days. Because the license server also tracks the expiration date of TS CALs, if for some reason the CAL is never renewed and it expires, the license server returns that TS CAL to the inventory of available unused licenses. If a client device with a TS CAL were to blow up or be rebuilt, the license server automatically adds the TS CAL back into its available license pool after it expires (a maximum of 89 days).

If the Terminal Server is not able to obtain a TS CAL renewal when the client device's TS CAL certificate expires after the 52 - 89 days, the client is denied access. A temporary 90-day certificate cannot replace a full certificate that has expired. If you don't properly manage your CALs, it is possible that you could end up with users that cannot connect.

This system is actually very cool. Someone at Microsoft deserves an award for designing the temporary TS CALs to be valid for 90 days and the full TS CALs to be valid for a maximum of 89 days, conveniently one day less than the temporary licenses. Consider the following scenario:

Assume that a client device successfully authenticates to a Terminal Server and is granted a full TS CAL certificate that was (worst case) randomly selected to expire at the 89 day maximum. When it passes down the certificate, the license server decrements its total TS CAL license count by one, also noting that particular certificate's expiration date. Now, assume that a catastrophic event occurs at the client, causing its local operating system to be reinstalled and its local TS CAL certificate to be lost. When that client authenticates to a Terminal Server, the Terminal Server will request a new TS CAL certificate from the license server and the license server (again) decrements its TS CAL inventory by one. At this point there have been two TS CAL licenses given out to that one client, but the first one will never be renewed because the certificate was lost when the client was rebuilt. After 89 days (the randomly selected duration of the first certificate), the first TS CAL is returned to the pool by the license server.

As most people would, an administrator in this situation probably bought just enough TS CALs to cover the exact number of client devices. They did not buy extras to cover the 52 - 89 day period that the two licenses were used by one client. By purchasing the exact amount of TS CALs, the license server would not have any more TS CALs to give out when the client device asked for the new TS CAL certificate after the first was lost. In this case, the license server would grant a temporary 90-day TS CAL certificate to the client device because the client device appears to the server as a brand new machine.

Because the temporary TS CAL certificate is always valid at least one day longer then the full CAL certificate (90 days verses a maximum of 89 days), the old, lost full TS CAL will always be returned to the inventory on the license server at least one day before the temporary TS CAL certificate would expire. For example, after day 88, the client device's temporary TS CAL certificate will expire in 2 days, but the license server is tracking the expiration of the full TS CAL that was originally granted for 89 days. That full TS CAL only has 1 day left before it expires. The following day, when the client device's temporary TS CAL certificate has only 1 day remaining, the license server will add the original TS CAL back in its inventory pool, making it available to grant to the client as a permanent license for another random period of 52 - 89 days.

There is one last thing that should be mentioned about the TS CAL expiration period and the Q287687 hotfix or Service Pack 3 change. Any TS CALs distributed to client devices before the hotfix or Service Pack was applied will never expire, unlike the 52 - 89 day expiration of TS CALs distributed after the hotfix is applied. Applying the hotfix does not change the expiration date of the licenses that were previously applied. In this case, if you lose a client device with a TS CAL that was granted before the hotfix was applied, you will have to call the Microsoft clearinghouse to get them to release the license. After this, the next time the license is distributed, it will have the 52 - 89 day expiration date.

If you are a true geek, then you will enjoy tracing the entire licensing flow in Windows 2000 Terminal Server environments in Figure 14.6 on the next page. (Non-geeks may skip this.)

Figure 14.6: Client Device Licensing Process

Either way, geek or non-geek, it's worth reiterating that you must install the Microsoft hotfix Q287687 or Windows 2000 Service Pack 3 on your Terminal Servers and license servers before you begin using your environment.

Multiple 90-day Thresholds Explained

Throughout this license distribution and acquisition process, we have mentioned two different 90-day thresholds. While both are related to Windows 2000 Terminal Services licensing, they are actually two completely different things.

  • Terminal Server will work without a license server for 90 days.
  • If an activated license server runs out of TS CALs (licenses), it will issue 90-day temporary ones.

The first item relates to the presence of a license server. If a Terminal Server cannot locate a license server, it will still allow unlicensed client devices to log on. The Terminal Server itself does not grant 90-day temporary licenses if it cannot find a license server. Instead, if a license server cannot be located, the Terminal Server simply "looks the other way" for 90 days. After the 90-day period ends, unlicensed client device connections are refused. This 90-day countdown begins the first time a user connects to the Terminal Server via a terminal session, regardless of whether or not that user has a valid TS CAL.

The second 90-day item relates to the license server itself. If, over the course of business, an activated TS licensing server runs out of licenses, it will begin to grant 90-day temporary license certificates to client devices. Only an activated license server can grant temporary licenses.

These temporary licenses can only be replaced by full TS CAL licenses-they cannot be replaced by additional temporary licenses. There is no limit to the number of temporary licenses that a license server can grant. Also, the 90-day timer for the expiration of the TS CALs is client specific, meaning that different temporary licenses can expire on different days-even if they were all granted by the same license server.

These two different thresholds inevitably lead to one question:

Can I somehow combine these two thresholds to go 180 days without adding any Microsoft licenses?

The answer to this is "yes." In the event that the licenses you've purchased are taking an extremely long time to come in, you can go 180 days without applying any Microsoft licenses. To do this, set up your Terminal Server without a license server. After 90 days, set up and activate a license server. If you activate the license server but do not add any licenses, the server will grant temporary licenses that are valid for 90 days.

Terminal Services Internet Connector License (TS ICL)

There is one additional Microsoft license that is needed in special situations. This license is known as the "Terminal Services Internet Connector License" and it is required if you want to use your Terminal Server to provide access to anonymous users that will by connecting via the Internet.

This license stemmed from the clause in the Microsoft licensing agreement that mandated that every client device that could connect to a particular server needed to have a separate TS CAL. Wisecracking administrators wondered what would happen if they had applications for the public to use via the Internet. Would they need to buy 200 million licenses, one for every client device on the Internet? Of course Microsoft could not jeopardize their "one license per each unique device" scheme, so they created this Terminal Services Internet Connector License (TS ICL). This license, one of which is required for each Terminal Server that is used this way (next paragraph), costs a cool US$10,000 and is valid for up to 200 users per server. Users using this license do not require any of the TS CALs or server CALs outlined previously. However, there are very strict usage guidelines.

Users of the TS ICL license cannot be employees of the organization that bought the license and they are forced to log on anonymously to the server. The TS ICL license is an "all or nothing" license, meaning that you cannot have one server that hosts some users that connect via the TS ICL anonymously while others are employees that connect via TS CALs. From a practical sense, it's hard to imagine any scenario where this license is useful, except for Citrix's web-based demo room (

Incidentally, do not confuse this Terminal Services Internet Connector License (US$10,000) with the Internet Connector License (US$2,000). The latter of the two is used for connecting server applications to the Internet (like web servers), and is not valid for Terminal Services sessions.

How the Terminal Services Internet Connector License Works

One TS ICL is required for each Terminal Server (NT4 or W2K) that provides anonymous non-employees access to Terminal Services sessions. Each TS ICL may be used for up to 200 concurrent connections. This license replaces TS CALs and server CALs for these servers.

The TS ICL is installed and activated on a TS licensing server just like any other Terminal Services license. When a Terminal Server is configured to operate in Internet Connector mode, it contacts the TS licensing server and a digital certificate for the ICL is transmitted to the Terminal Server. Then the TS license server's inventory of available TS ICL's is decremented by one.

You can switch a Terminal Server into "Internet Connector" mode at any time via the Terminal Services Configuration Utility. When the switch to Internet Connector mode is made, if the Terminal Server cannot contact the license server, or the license server does not have any available TS ICLs, then the server will not go into Internet Connector mode. There is no grace period and there are no temporary TS ICLs.

Once a Terminal Server is in Internet Connector mode, all Terminal Services connections (even those via MetaFrame) are automatically logged on as the local account "TSInternetUser." This cannot be overridden and was done by design to force users to log on anonymously. Whenever a user logs onto a Terminal Services or ICA session on a server that is operating in Internet Connector mode, the user will always use one of the 200 ICL users, even if the user has his own local TS CAL certificate. However, that one user can still log on to multiple Terminal Servers, even if some are operating in Internet Connector mode while others are not.

If you disable Internet Connector mode, then the TS ICL is automatically returned to the available pool on the TS license server. Immediately after disabling this mode, users may log on with any account. TS CALs and server CALs will be required for each client device.


Start the conversation

Send me notifications when other members comment.

Please create a username to comment.