Terminal Services Licensing Enhancements (287687)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
This article was previously published under Q287687

SYMPTOMS

This article describes two enhancements to Windows 2000 Terminal Services Licensing for Windows 2000 that are available as an update in Microsoft Security Bulletin MS01-052. These enhancements are Post Logon License Token Issuance and Automatic License Token Re-issuance. The Microsoft Security Bulletin MS01-052 also contains the fix that is described in the following Microsoft Knowledge Base article:

294729 Terminal Services Clients Consume Multiple Terminal Services CALs Because of Storage Issues

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The following files are available for download from the Microsoft Download Center:

DownloadMicrosoft Security Bulletin Ms01-052

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The English version of this fix should have the following file attributes or later: 
   Date         Time     Version        Size     File name   
   -------------------------------------------------------
   5/30/2001    04:50p   5.0.2195.3649  122,640	 Icaapi.dll
   5/29/2001    10:19a   5.0.2195.3649   93,456	 Licmgr.exe
   5/30/2001    04:48p   5.0.2195.3657  330,000	 Lserver.exe

   5/30/2001    04:50p   5.0.2195.3649   26,384	 Mstlsapi.dll
   5/29/2001    10:19a   5.0.2195.3649  141,584	 Termsrv.exe
   5/30/2001    04:50p   5.0.2195.3649   23,312	 Tls236.dll
IMPORTANT: This hotfix must be applied to all Terminal Servers and Terminal Services Licensing Servers. Only TS CAL tokens that are issued after the application of this hotfix will utilize re-issuance logic.
The updated files to correct the problem that is described in this article are superceded by files provided through the following Microsoft Knowledge Base article and included in Security Update MS01-52. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

307454 MS01-052: Invalid RDP Data Can Cause Terminal Services Failure

Microsoft recommends that you read the Security Update bulletin, and then apply the fix that is available as a download from the bulletin if you determine that your computer may be at risk. This will also correct the problems that are described in this article.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.

MORE INFORMATION

For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:

265173 The Datacenter Program and Windows 2000 Datacenter Server Product

For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:

296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot

Post Logon License Token Issuance

Current Behavior

Windows 2000 Terminal Servers issue Terminal Services CAL (TS CAL) tokens to all clients after they connect by using the Terminal Services client. The TS CAL token is presented to the device before a user enters credentials and is granted or denied access to connect.

Enhanced Behavior

When an unlicensed client connects for the first time, the Terminal Server issues a temporary TS CAL token. After the user has logged into the session, the Terminal Server instructs the License Server to mark the issued temporary TS CAL token as being validated. The next time the client connects, an attempt is made to upgrade the validated temporary TS CAL token to a full TS CAL token. If no license tokens are available, the temporary TS CAL token will continue to function for 90 days.

This enhancement is designed to prevent TS CALs from being inadvertently allocated to devices that are not intended to be licensed for Terminal Services usage. To allocate a TS CAL token to a device, a successful logon to a Terminal Server must occur. However, this does not prevent users who are authorized to log on to a Terminal Server from logging on from devices that the organization does not intend to license. If this happens, a TS CAL token is still assigned to the device.

Automatic License Token Re-issuance

Current Behavior

TS CAL tokens are issued for each device, and are stored locally on each device that connects to a Windows 2000 Terminal Server. If a device loses this TS CAL token through hard disk failure, clean reinstallation, or other method, the TS CAL token remains assigned to that device. The only way to recover this TS CAL token is to place a phone call to the Microsoft Clearinghouse. The telephone number is (888) 571-2048.

Enhanced Behavior

An expiration period has been added to each TS CAL token that is issued. This expiration period is a random number of days between 52-89 days of issuance. When a client connects to a Terminal Server, this date is checked. If the expiration is within 7 days, the Terminal Server connects to the License Server and renews the TS CAL token, giving it another expiration period of 52-89 days. If the License Server is not available, the TS CAL token functions as normal, with the Terminal Server attempting to replace it at each login. Upon expiration, the License Server returns any TS CAL token that has not been renewed to the group of available license tokens.

For example, an unlicensed device connects and receives a TS CAL token with an expiration period set at the maximum of 89 days. The device's operating system is then reinstalled. The device then connects again. Because no other TS CAL tokens are available, the device is issued a temporary TS CAL token so it can connect for 90 days. On day 89, the original TS CAL token is returned to the group of available licenses. The next time this device connects, the Terminal Server presents the device with the full TS CAL token that was returned to the group of available license tokens.

With the addition of these fixes, it should not be necessary to call the Microsoft Clearinghouse to recover lost license tokens. If a device loses its license token, the administrator can be confident that license tokens that are issued after the enhancement was installed will be recovered automatically.

IMPORTANT: There are a few cases in which license tokens will not be recovered automatically:
  • License tokens are issued prior to the installation of this hotfix. Only TS CAL tokens that are issued after the installation of this fix will utilize the re-issuance logic. A TS CAL token that is issued to a device prior to the installation of this hotfix will remain assigned to that device. The Clearinghouse must be contacted to recover any TS CAL tokens that are issued prior to the installation of this hotfix. Because of this, it is important that this hotfix be installed on all Terminal Servers and Terminal Services Licensing Servers in an enterprise.
  • Catastrophic failure that results in the loss of the licensing database. In the event of a failure that results in the loss of the licensing database when a known good backup is not available, Terminal Services Licensing must be reinstalled and reactivated. The Clearinghouse will then need to reissue any previously issued License Key Packs. The License Key Packs that were originally issued are based on the License Server ID at the time of issuance. If the License Server ID changes, License Key Packs that are based on the old License Server ID cannot be installed.
NOTE: These enhancements are designed to reduce the administrative overhead in managing Terminal Services Licensing. The terms of the licensing agreements for Terminal Services remains unchanged. As in the Terminal Services End User License Agreement (EULA), each device that connects to a Windows 2000 Terminal Server must be allocated a Terminal Services CAL (or be running Windows 2000 Professional).

315404 Clients with Expired Temporary License May Be Unable to Connect

311401 Windows 2000 Security Rollup Package 1 (SRP1), January 2002

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Expired License Handling

A cleanup process runs daily on the license server. The process looks for any license tokens that have not been renewed (i.e. that are completely expired) and returns them to the available pool. Clients do not have to connect for expired license tokens to be recovered.
Modification Type:MajorLast Reviewed:10/16/2006
Keywords:kbHotfixServer kbQFE kbbug kbenv kbfix kbgraphxlinkcritical kbTermServ kbWin2000PreSP3Fix kbWin2000sp3fix KB287687
©2004 Microsoft Corporation. All rights reserved.