Right, I fetched the doc as per Michael, but the part I am still confused about is your second sentence. So if an unauthenticated user via a non-Windows kiosk accesses the site for which no windows based auth is setup, but application level authentication, then they do or don't need a cal?
Also, if the app brokers auth to a DC, that is IIS itself does not perform authentication but our app takes forms based credentials and validates them against a DC, does this count as windows auth and therefor *all* users under any circumstance then need a cal? Thanks for the help guys, jlc -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Ken Schaefer Sent: Tuesday, November 18, 2014 4:17 AM To: [email protected] Subject: [NTSysADM] RE: IIS and cals If you are using Windows Server 2008 (or later), then anonymous (at the HTTP layer) connections do not require a CAL (e.g. you can have a HTML forms based authentication mechanism). Only if users are accessing across your LAN do you need CALs. Authenticated users at the HTTP layer (i.e. using Windows credentials, or certs mapped to Windows users) require user/device CALs. >From the latest PUR (same terms can be found in earlier docs) - Web Workloads >are: Web Workloads (also referred to as "Internet Web Solutions") are publicly accessible and consist solely of web pages, websites, web applications, web services, and/or POP3 mail serving. For clarity, access to content, information, and applications served by the software within an Internet Web Solution is not limited to your or your affiliates' employees. Software in Internet Web Solutions is used to run: * web server software (for example, Microsoft Internet Information Services), and management or security agents (for example, the System Center Operations Manager agent). * database engine software (for example, Microsoft SQL Server) solely to support Internet Web Solutions. * the Domain Name System (DNS) service to provide resolution of Internet names to IP addresses as long as that is not the sole function of that instance of the software. These don't require CALs. Cheers Ken -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Tuesday, 18 November 2014 7:53 AM To: [email protected] Subject: [NTSysADM] RE: IIS and cals It's complicated. They are referring to something called external connectors - and those have always been there. But it depends on a lot of things, the version and edition of windows server, the version and edition of sql server, the version and edition of sharepoint... Generally speaking, the customer is correct, you need a CAL. However, there are still many use cases where you do not need a CAL. These things are described in boring detail in the Purchase Use Rights document. Go to Microsoft.com/licensing and search for the current PUR. Have lots of caffeine sitting beside you. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Joseph L. Casale Sent: Monday, November 17, 2014 3:43 PM To: [email protected] Subject: [NTSysADM] IIS and cals A customer at my day job suggests MS changed the CAL licensing for IIS from the original requirement that a connection authenticated as a windows user requires a CAL, to any connection now requires a CAL? I don't see any corroborating support for that, anyone know anything about this? Thanks! jlc
