Am I the only one who didn't realize that you have to have CALs for Active Directory?

Cerulean

Cerulean

[H]F Junkie
Joined
Jul 27, 2006
Messages
9,476
If you run Active Directory services, you must have either device CALs or user CALs (non-RDS/terminal services CALs) for every computer joined to domain or user account.

I'm probably going to get a lot of replies saying "you just now learned that?? this is common sense, everyone knows it!" :(

I got a quote from isgtech.com and they quoted me 45 USD per device CAL and about 1300 USD for a single 2012 R2 license.
 
that is correct and starting with server 2012 they no longer bundle ANY CAL's with it.

they are just setting you up for a failure so when they come knocking on your door saying its time for an audit they can sue the F8#k out of you if you dont comply.

i think many IT have no idea. almost all the networks i have walked into second hand do not have sufficient CALs.
 
I was 3 years into my CS major when the teacher started deleting text not backwards but forwards and I was amazed, I asked my friend how is he deleting forward. My friend looked at me like I was stupid and said hes using the delete key. It never occurred to me to use the delete key, I would click after where I wanted to delete and use the backspace key.
 
munkle said:
I was 3 years into my CS major when the teacher started deleting text not backwards but forwards and I was amazed, I asked my friend how is he deleting forward. My friend looked at me like I was stupid and said hes using the delete key. It never occurred to me to use the delete key, I would click after where I wanted to delete and use the backspace key.
Click to expand...

Very brave of you to share that story. :eek:
 
Cerulean said:
If you run Active Directory services, you must have either device CALs or user CALs (non-RDS/terminal services CALs) for every computer joined to domain or user account.

I'm probably going to get a lot of replies saying "you just now learned that?? this is common sense, everyone knows it!" :(
Click to expand...
Quite a few places I've worked, BIG places, haven't known this. They thought I was very confused when I brought it up and pushed it.

Oh..the money I could have made with the BSA over the years....
 
munkle said:
I was 3 years into my CS major when the teacher started deleting text not backwards but forwards and I was amazed, I asked my friend how is he deleting forward. My friend looked at me like I was stupid and said hes using the delete key. It never occurred to me to use the delete key, I would click after where I wanted to delete and use the backspace key.
Click to expand...

Damn I hate to admit this but. I had noooooo idea!

I've been clicking behind and hitting backspace as well!

Thanks.:cool:
 
Jesus, i can't get over the delete key. How in the world do you guys spend time on the computers and not know that! hahah
 
i knew about the CALs for windows services, but i did learn something new the other day...

so i knew you needed CALs for any machines connected to those servers that use services like file/print sharing, any apps hosted on that machine... active directory logins.... etc

the exception i knew about was IIS, don't need access cals for machines accessing web servers (for obvious reasons)

BUT.... what i DIDN'T realize, is that simple services like DNS and DHCP even require CALs... i literally learned this 6 months ago and i'm an IT manager....

makes me want to offload those services to linux, honestly.... there MUST be a gray area with this... or just EVERYONE buys user cals these days.... are companies really expected to buy cals for people connecting their smartphones or tablets from home to company networks to use DHCP/DNS services? public wifi? really?

it's kind of ridiculous... i have like IP cameras... wireless access points... and bullcrap devices like that that use 0 services on those windows boxes besides DHCP and DNS, and i gotta pay for a CAL for those?
 
goodcooper said:
i knew about the CALs for windows services, but i did learn something new the other day...

so i knew you needed CALs for any machines connected to those servers that use services like file/print sharing, any apps hosted on that machine... active directory logins.... etc

the exception i knew about was IIS, don't need access cals for machines accessing web servers (for obvious reasons)

BUT.... what i DIDN'T realize, is that simple services like DNS and DHCP even require CALs... i literally learned this 6 months ago and i'm an IT manager....

makes me want to offload those services to linux, honestly.... there MUST be a gray area with this... or just EVERYONE buys user cals these days.... are companies really expected to buy cals for people connecting their smartphones or tablets from home to company networks to use DHCP/DNS services? public wifi? really?

it's kind of ridiculous... i have like IP cameras... wireless access points... and bullcrap devices like that that use 0 services on those windows boxes besides DHCP and DNS, and i gotta pay for a CAL for those?
Click to expand...

Call up Microsoft about that. Try and get a strait answer. I did and got 3 different answers from different people at Microsoft. There licensing is so complex even they don't understand it.
 
MS licensing is the most ridiculous thing ever. You pretty much have to pay multiple times for everything. It's crazy. Add Citrix or TS to the mix and things get even more fun.
 
jkerr2 said:
Call up Microsoft about that. Try and get a strait answer. I did and got 3 different answers from different people at Microsoft. There licensing is so complex even they don't understand it.
Click to expand...

Yea, if I have to hard code IP addresses and public DNS servers, I can circumvent having to get CALs for IP cams?

That's just encouraging poor IT practices
 
Source of information: http://blogs.technet.com/b/volume-l...en-do-i-need-a-client-access-license-cal.aspx

If you have a multifunction printer connected to a Windows Server network, you have to have a CAL

You need CALs for SQL Server connections

You need CALs for external users

You need RDS CALs

If you run an IIS website where a user can register for an account, you will need CALs

Microsoft allows up to two connections to servers for administrative purposes, and if your admins do anything beyond that scope (ex. checking their email, seriously), CALs are required.

Looks like you need a user CAL for each user that connects to a Windows Server for accessing printers, otherwise you need to have a device CAL for each printer

You need to provide a CAL to each guest that use Windows Server’ DHCP, even if temporarily

And there’s more … I’m stopping here on listing the non-sense, and this is from Microsoft!

So in regards to ethics, where does a sysadmin draw the line? The only true way is to stop using Microsoft products altogether :(
 
Cerulean said:
Source of information: http://blogs.technet.com/b/volume-l...en-do-i-need-a-client-access-license-cal.aspx

If you have a multifunction printer connected to a Windows Server network, you have to have a CAL

You need CALs for SQL Server connections

You need CALs for external users

You need RDS CALs

If you run an IIS website where a user can register for an account, you will need CALs

Microsoft allows up to two connections to servers for administrative purposes, and if your admins do anything beyond that scope (ex. checking their email, seriously), CALs are required.

Looks like you need a user CAL for each user that connects to a Windows Server for accessing printers, otherwise you need to have a device CAL for each printer

You need to provide a CAL to each guest that use Windows Server’ DHCP, even if temporarily

And there’s more … I’m stopping here on listing the non-sense, and this is from Microsoft!

So in regards to ethics, where does a sysadmin draw the line? The only true way is to stop using Microsoft products altogether :(
Click to expand...

yup... this sort of thing pushes me right out to start using linux or other foss based DHCP and DNS at the very least...

i'm NOT paying for a CAL for an IP phone... sorry... (no, it's not microsoft lync ip phone, lol)
 
Cerulean said:
If you run an IIS website where a user can register for an account, you will need CALs
Click to expand...

Does this only apply if the account creation is making an active directory account, or does it apply if you are inserting a row into the website's database?
 
Sgraffite said:
Does this only apply if the account creation is making an active directory account, or does it apply if you are inserting a row into the website's database?
Click to expand...
And I quote:

5 – Do I need a CAL when my Windows Server is used to run a web server?

Windows Server 2012 R2 configured to run Web Workloads ** do not require CALs or External Connectors. Web workloads, also referred to as an internet web solution, are publically accessible (e.g. accessible outside of the firewall) and consist only of web pages, web sites, web applications, web services, and/or POP3 mail serving. Access to content, information, and/or applications within the internet web solution must be publically accessible. In other words, they cannot be restricted to you or your affiliate’s employees.

If you have Windows Servers configured to run a “web workload” these users will not require CALs or External Connectors. However, let’s say you are using Windows Server to setup an online store where customers can buy widgets. You have front end Windows Servers setup to support your website, and backend servers (e.g. commerce servers) setup so customers can check out and buy your widgets. The front end servers used to host your website would generally be considered as running “web workloads” and CALs or External Connectors will not be required to access these servers. Once the customer adds a widget to their shopping cart, creates an account and enters their credit card and shipping information to complete the sale – they are now authenticated via your back end commerce servers/application (non-web workload). Since users are accessing the backend commerce servers which web workloads are not running – CALs or External Connectors will be required for users to access these back end servers.
Click to expand...
 
Sgraffite said:
I guess the way that is worded is not very clear to me. The user is not accessing the backend servers, they are only accessing the web front end when they log in.
Click to expand...
When they login, how does the login happen? Where does the webserver need to go to validate that the password they entered matches the hopefully salted hash of their password? Likely a backend server (but not always). At the very least, in probably most cases, there are other servers involved besides just the server running the front-end IIS-based website, and without those other servers the application on the IIS server would not function correctly (or at all). It's like tracing network packets and the routes they travel to get from A-to-B, or a statement like "what does it take and involve for this action to be successfully executed" (producing an inventory almost).

If you have a webserver running your eCommerce site that is IIS-based, in an ideal setup you might have a second machine that is dedicated to running the SQL database + that machine would not be on the DMZ. When a user goes to your eCommerce site hosted by the first machine (this part you do not need a CAL for) and they register an account, the data and queries involved in "registering an account" also involve the SQL server. You would need a CAL for that user because of that ... and on top of that, you would also need SQL Server CAL for each connection too. ;)

At our company, we have an IIS-based eCommerce site. It has its own database, of course, BUT it also interacts with our ERP system. So when a user registers an account, this would involve a CAL because of interaction involving a backend server. When the user is putting in an order, this is involving probably both a backend server (for eCommerce site database to match credentials and keep order history -- invoice #s would be linked to sales order #s from the ERP) and also a backend application (ERP system that everyone in the Company users, sales order would be created and a chain reaction of job travelers for manufacturing each piece of the product and assembling them would happen). BTW -- this is a manufacturing company. Effectively, in this scenario, for each registered account on the eCommerce site you would need two SQL Server CALs (ERP and eCommerce DBs are hosted on different servers), and one or two CALs for backend server/application access.

One question I have though... it seems like you need a CAL for everything.

So, if I have a /24 network that is fully Microsoft-based and have 5 human users (including self) and I purchase 254 Device CALs and 5 User CALs, would that cover me for AD+DHCP+printers+backend application access via IIS? Or would I be technically required to "double up" on CALs for the same device/user for different things (ex. CEO John Doe needs one user+device CAL for AD, a second device CAL for DHCP, a second user CAL for accessing RDS, a third user CAL for occasionally doing non-administrative tasks when RDP'd into non-RDS servers)?

Recently my supervisor (head sysadmin) and manager (his boss) had attended a scheduled conference call with MIcrosoft's Licensing Team (a group of professionals and experts on MS licensing -- they are Microsoft employees). This meeting was scheduled several weeks into the future so that we could come up with questions. When the meeting finally came and questions asked, they were confused and not sure so we sent them an e-mail (written form instead of verbal). Then they were like "oh uh I don't know we need to ask so-so from elsewhere". Wow, you've got to be kidding me. Even Microsoft's own Licensing personnel don't even know! ... people who are QUALIFIED and EXPERTS on licensing and couldn't answer a single question. Meeting didn't last more than 5 minutes. This was 2 weeks ago, they said they would get back to us but we haven't heard a peep from them.
 
Last edited:
Cerulean said:
When they login, how does the login happen? Where does the webserver need to go to validate that the password they entered matches the hopefully salted hash of their password? Likely a backend server (but not always). At the very least, in probably most cases, there are other servers involved besides just the server running the front-end IIS-based website, and without those other servers the application on the IIS server would not function correctly (or at all).

If you have a webserver running your eCommerce site that is IIS-based, in an ideal setup you might have a second machine that is dedicated to running the SQL database + that machine would not be on the DMZ. When a user goes to your eCommerce site hosted by the first machine and they register an account, the data and queries involved in "registering an account" also involve the SQL server. You would need a CAL for that user because of that ... and on top of that, you would also need SQL Server CAL for each connection too. ;)
Click to expand...

There's a lot of different ways the authentication can happen. The controller on the IIS web server may send a request to an API, and the API would send the response back telling the web server if the user failed or succeeded in authenticating.

With this method the user is authenticated via the backend, but never accessed anything behind the web server. The way it is worded they would only need a CAL if the user accessed the backend, which they did not, so therefore a CAL would not be required?
 
Sgraffite said:
There's a lot of different ways the authentication can happen. The controller on the IIS web server may send a request to an API, and the API would send the response back telling the web server if the user failed or succeeded in authenticating.

With this method the user is authenticated via the backend, but never accessed anything behind the web server. The way it is worded they would only need a CAL if the user accessed the backend, which they did not, so therefore a CAL would not be required?
Click to expand...
Microsoft would say a CAL would be required because the user is authenticated via the backend despite not having direct access beyond the webserver on http:// and https://

(I see what you're saying ... this would ultimately have to be a legal fight in court. It's just like the things going on in our legal system and politics today ... ex. topic of abortion or gay marriage)

But .. what are you supposed to do if you can get the same answer from three different calls to Microsoft let alone from Microsoft's own professional experts on licensing who themselves are clueless about I guess their own jobs?
 
Cerulean said:
Microsoft would say a CAL would be required because the user is authenticated via the backend despite not having direct access beyond the webserver on http:// and https://

(I see what you're saying ... this would ultimately have to be a legal fight in court. It's just like the things going on in our legal system and politics today ... ex. topic of abortion or gay marriage)
Click to expand...

Say that is the case, now how would this work? If your website uses a 3rd party authentication such as Facebook, who would need the CAL, if anyone? Your website would be redirecting to Facebook's website's frontend, and hitting their API to authenticate, then telling your website if it succeeded.
 
Sgraffite said:
Say that is the case, now how would this work? If your website uses a 3rd party authentication such as Facebook, who would need the CAL, if anyone? Your website would be redirecting to Facebook's website's frontend, and hitting their API to authenticate, then telling your website if it succeeded.
Click to expand...
Where is the DB that hold "oh, yeah, this person has logged into my website before + he used his Facebook credentials"? If you eliminate that, then you might have a website that doesn't store any data and accesses user information just to populate some things, have no website at all, or have an app on facebook.com that you are redirecting visitors' internet browsers. Then if the same visitor logs into the website with their Facebook account, it would be the same as if this is the first time they visited the website. There would be no history recorded or ever saved. The only records that might exist could be e-mail messages sent by the website via SMTP that would be sitting in the user's mailbox and/or a journal e-mail mailbox for the website (that has nothing to do with Microsoft)

You could do that if the website were something like "login with your Facebook account so that I can report back to you the number of things you have Liked".

If it were an eCommerce site that is IIS-based and you wanted to avoid a CAL, you could have it send e-mail messages to people that work at the company for that ecommerce website and employees would manually enter in new orders / import e-mails into whatever system they use (which might even be a website by some vendor that has nothing to do with Microsoft). Same thing if it were the scenario of my company. A manual copy of the data in the ERP system would be made and imported into the DB of the eCommerce site, and interactions that would normally involve the ERP system would be done completely manually (as in, you could physically isolate networks between the ERP servers and eCommerce server)
 
Last edited:
Cerulean said:
Where is the DB that hold "oh, yeah, this person has logged into my website before + he used his Facebook credentials"? If you eliminate that, then you might have a website that doesn't store any data and accesses user information just to populate some things, have no website at all, or have an app on facebook.com that you are redirecting visitors' internet browsers. Then if the same visitor logs into the website with their Facebook account, it would be the same as if this is the first time they visited the website. There would be no history recorded or ever saved. The only records that might exist could be e-mail messages sent by the website via SMTP that would be sitting in the user's mailbox and/or a journal e-mail mailbox for the website (that has nothing to do with Microsoft)

You could do that if the website were something like "login with your Facebook account so that I can report back to you the number of items you have Liked".
Click to expand...

You'd still have your own DB that stored the user's email because you need an ID for that user to related things to them. Otherwise there'd kinda be no point to them even authenticating with Facebook. But the authentication wouldn't be done on your site. *shrug*
 
You must log in or register to reply here.
Back
Top