Terminal Services and Licensing on Windows Server 2003
I was recently asked how a Terminal Server holds the license on the client side. In doing the research into this question i came across some really good information about how terminal services works and also the licensing models available.
This email is broken down into the following areas:
· Terminal Server Configured for Device based TS CALS
· External Connector License. (This could be something to look at for business partners that come and use TS servers in and organisation )
· The Seven types of Windows 2003 client licenses
· How to get reports from the licensing server
· Uncovering Client Device TS CAL Details
Terminal Servers Configured for Device-Based TS CALs
When a Terminal Server is configured to use TS Device CALs (Start | Administrative Tools | Terminal Services Configuration | Server Settings | Licensing), each client device needs to have its own license.
- Terminal Server CALs are purchased and installed into the license database on the (previously activated) TS Licensing Server.
- The TS CALs are activated via the Microsoft License clearinghouse. The activated licenses remain on the license server, waiting for assignment to client devices.
- A user makes an RDP connection to the Terminal Server.
- Since the Terminal Server is in per device licensing mode, the Terminal Server checks for the device’s TS CAL (in the form of a digital certificate).
- If the client device does not present a valid TS CAL, the Terminal Server connects to the license server to obtain one.
- If the license server does not have any more TS CALs, it will route the Terminal Server to another license server that does have available TS CALs (if known).
- The license server sends the Terminal Server a digital certificate for a temporary 90-day TS CAL.
- The Terminal Server passes this certificate down to the client.
- The user’s credentials are validated. If the user successfully authenticates, the Terminal Server contacts the license server a second time. This time around, the Terminal Server informs the license server that the TS CAL that was sent to the client should be marked as “valid.” If the user did not successfully authenticate, (i.e. the connection was from an inappropriate user), the Terminal Server will not contact the license server, and the license that was sent out will not be marked “valid.”
- The next time that client device connects, it presents its 90-day temporary TS CAL to the Terminal Server.
- The Terminal Server contacts the license server. Since the licensing server marked the CAL as valid the first time the user authenticated, the client device’s temporary CAL is up-graded to a full CAL. If, for some reason, all of the license servers have depleted their inventories of TS CALs, the client device keeps its temporary 90-day TS CAL certificate
TS CAL License Certificate Storage on Client Devices
As mentioned earlier, when a client device receives a TS Device CAL from a Terminal Server, it receives it in the form of a digital certificate from a license server. For this reason you must activate the license server with the Microsoft clearinghouse (which is just a certificate authority). The digital certificate is an actual certificate copied to the client device (even with Windows CE). Once a client device connects to a Terminal Server, a TS CAL digital certificate is transferred from the license server to the client device. The license server loses one of its licenses from its inventory, and the client device has the digital certificate that it can present to any Terminal Server on future connections.
The digital certificate is stored in different locations depending on the operating system. On 32-bit Windows platforms, the TS CAL digital certificate is stored in the registry at HKLM\Software\Microsoft\MSLicensing\Store\License00x.
1. Anyone who has been in the computer industry for more than five minutes can probably spot a potential flaw in this plan. Client devices tend to break. Windows-based terminals have their ROMs re-flashed. Operating systems are reinstalled on workstations. PCs are reimaged. Whenever this happens, the TS CAL digital certificate stored on the client device is lost forever. The TS CAL doesn’t exist on the license server after it’s transferred to a client device. When that client connects back to a Terminal Server, it has no digital certificate to present. The server thinks that it has no license, and instructs the license server to issue a new TS CAL in the form of a new digital certificate. In effect, that one client device ends up consuming two TS CALs—the old one that was lost and the new one that was just issued. If the client device were reset again, a third TS CAL would be used.
2. In Windows 2003 (and Windows 2000 SP3), when a Terminal Server requests a TS CAL from the license server for a client device, a full TS CAL certificate is granted with an expiration date randomly selected between 52 and 89 days from the current date. The license server keeps track of the expiration date and it is also embedded into the digital certificate that represents the actual license passed down to the client device.
3. Every time the client device connects to a Terminal Server, it presents its TS CAL certificate to the server. The server checks not only whether the client device has a valid certificate, but also the expiration date of that certificate. If the expiration date of the certificate is within 7 days of the current date, the Terminal Server connects to the license server to renew the license for another random period of 52 to 89 days.
4. The license server also tracks the expiration date of TS CALs. If for some reason the client’s CAL is never renewed and expires, the license server returns that TS CAL to the inventory of available unused licenses. If a client device with a TS CAL were to blow up or be rebuilt, the license server would automatically add the TS CAL back into its available license pool after it expired (a maxi-mum of 89 days).
5. If the Terminal Server is not able to obtain a TS CAL renewal when the client device’s TS CAL certificate expires after the 52 to 89 days, the client is denied access. A temporary 90-day certificate cannot replace a full certificate that has expired, but this shouldn’t ever be a problem for you (unless you don’t have enough TS CALs).
6. Someone at Microsoft deserves an award for the fact that the temporary TS CALs are valid for 90 days and the full TS CALs are valid for a maximum of 89 days—conveniently one day less than the temporary licenses . Consider the following scenario:
7. Assume that a client device successfully authenticates to a Terminal Server and is granted a full TS CAL certificate that was (worst case) randomly selected to expire at the 89 day maximum. When it passes down the certificate, the license server decrements its total TS CAL license count by one, also noting that particular certificate’s expiration date. Now, assume that a catastrophic event occurs at the client, causing its local operating system to be reinstalled and its local TS CAL certificate to be lost. When that client authenticates to a Terminal Server, the Terminal Server will request a new TS CAL certificate from the license server and the license server (again) decrements its TS CAL inventory by one. At this point there have been two TS CAL licenses given out to that one client, but the first one will never be renewed because the certificate was lost when the client was rebuilt. After 89 days (the randomly selected duration of the first certificate), the first TS CAL is returned to the pool by the license server.
8. The administrator in this situation probably bought just enough TS CALs to cover the exact number of client devices. He did not buy extras to cover the 52 – 89 day period during which one client device had two CALs assigned. By purchasing the exact amount of TS CALs, the license server would not have any more TS CALs to give out when the client device asked for the new TS CAL certificate after the first was lost. In this case, the license server would grant a temporary 90-day TS CAL certificate to the client device because the client device appears to the server as a brand new machine. Because the temporary TS CAL certificate is always valid at least one day longer then the full CAL certificate (90 days versus a maximum of 89 days), the old, lost full TS CAL will always be returned to the inventory on the license server at least one day before the temporary TS CAL certificate would expire. For example, after day 88, the client device’s temporary TS CAL certificate will expire in 2 days, but the license server is tracking the expiration of the full TS CAL that was originally granted for 89 days. That full TS CAL only has 1 day left before it expires. The following day, when the client device’s temporary TS CAL certificate has only 1 day remaining, the license server will add the original TS CAL back in its inventory pool, making it available to grant to the client as a permanent license for another random period of 52 – 89 days.
External Connector License
A challenge to using per-user and per-device CALs is the fact that they have to be assigned to a specific user account or a specific client device. While adequate for employees of the company that bought the license, what happens if a company wants to extend its Terminal Server environment to business partners where the names of users and client devices wouldn’t be known? What happens if a company wants to extend an application via a Terminal Server to the Internet? Technically following the Microsoft terms, you would need to buy a license for each unique user or computer that connected to your server.
Clearly this is not feasible. To address this challenge, Microsoft introduced the External Connector License (ECL), designed to be used when systems are extended to external parties, including business partners and the public.
ECLs are available for all new Microsoft products (except products that are licensed on a per-processor basis since per-processor licenses already account for unlimited users and client devices). In Terminal Server 2003 environments, ECLs provide a simple way to buy “concurrent” user licenses for those who need to connect to your server. If you wanted to open up a server to trading partners, you would buy a Terminal Server ECL.
At this point you might be wondering why you can’t just buy ECLs and forget all this per-user and per-device garbage. Microsoft has strict rules governing the use of ECLs, and users of the TS ECLs cannot be employees of the organization that bought the license.
The Seven types of Windows 2003 client licenses
The license service that runs on a Windows 2003 server keeps track of seven different types of licenses. These include four types of licenses for Windows 2003 Terminal Servers and three types (for backward compatibility) for Windows 2000 Terminal Servers. The seven types of Windows 2003 client licenses include:
- Windows Server 2003 TS Device CALs. This license is the per-device CAL that is issued to unique client hardware devices. It allows the client device to access Windows 2000 and 2003 Terminal Servers.
- Windows Server 2003 TS User CALs. This is the per user CAL that’s assigned to unique user accounts. This license allows a user to access Windows 2000 and 2003 Terminal Servers. If the client device has a valid TS Device CAL, then this TS User CAL is not needed, and vice versa.
- Windows Server 2003 TS External Connector Licenses. When assigned to a Terminal Server, this ECL license allows unlimited non-employee connections. When this ECL is used, TS Device CALs and TS User CALs are not needed.
- Windows 2000 TS CALs. These are per-device licenses for devices connecting to Terminal Servers running Windows 2000.
- Windows 2000 TS Internet Connector Licenses. These licenses are essentially the Windows 2000 version of the Windows 2003 TS ECL. When assigned to a Windows 2000 Terminal Server, this license allows 200 simultaneous connections. These connections must be made by non-employees, across the Internet, via anonymous user accounts.
- Windows 2000 Built-in Licenses. These built-in licenses are used for Windows 2000 and Windows XP workstations that are connecting to Windows 2000-based Terminal Servers. Remember from the previous section that Windows 2003 Terminal Servers do not support the use of built-in licenses. (Which is why even if your Windows XP workstations qualify for “free” Windows 2003 TS CALs, you have to obtain TS Devices CALs from Microsoft—they’re not automatically built in.)
- Temporary Licenses. If a licensing server ever runs out of activated licenses, it will issue temporary licenses to any client devices requesting per-device TS CALs (applicable to Windows 2000 or 2003-based Terminal Servers). The number of temporary TS CALs a licensing server can grant is unlimited, although the temporary CALs themselves expire after 90 days and cannot extended.
Reporting on License Usage
The Terminal Server License Reporting tool, lsreport.exe, from the Windows Server 2003 Resource Kit can be used to view and analyze the data contained within the licensing server database. This tool outputs the information in the database into a tab-delimited format that allows you to create reports of who is using your licenses. Run “lsreport /?” from a command prompt for a list of options.
Uncovering Client Device TS CAL Details
The Terminal Server Client License Test tool, TSCTST.EXE, is a command-line client-side tool that displays information about a client device’s local TS CAL. Also included in the Windows Server 2003 Resource Kit, it provides the following information about a license:
- Issued to computer
- Issued to user
- License ID
- Type and Version
- Valid From
- Expiration date
By using the “/A” switch, the following additional information is displayed:
- Server certificate version
- Licensed product version
- Hardware ID
- Client platform ID
- Company name
This tool is used from the command line of a client device. It’s useful when you need to locate information about the TS CAL certificate that’s stored locally on that device.