Terminal Server CAL Allocation Process – Part 2: CAL Allocation Process

If you missed the first article in this series please read Terminal Services CAL Allocation Process (Part 1).

In this two-part article, readers will get a step-by-step look at the Terminal Services CAL allocation process in a Windows Server 2003 Terminal Server environment.  Part one focused on background information, including the various CAL types and licensing modes of Terminal Servers. 

In part two, we build on this information and include step-by-step walkthroughs of various scenarios, including detailed flowcharts of the process.  You are strongly encouraged to review part one of this article before proceeding, if you have not already done so.

Per-User CAL Allocation Process

The Per-User CAL allocation process is significantly simpler than Per-Device because most of the process is disabled when the Terminal Server is in per-user mode.  As you will see below, the only thing checked is whether the Terminal Server can contact a license server, and if so, it accepts the connection.  The following flowchart (figure 1) illustrates the process.


Figure 1

Per-User Mode Walkthrough

The following steps just reiterate the flowchart above.

  1. The client connects to the Terminal Server.
  2. The Terminal Server checks to see that it can contact a license server.

    1. If a license server cannot be located, then the connection is denied.
    2. If a license is found, the connection is accepted.

Per-Device Mode Allocation Process

When a Terminal Server is in per-device mode, the allocation process is much more involved.  Many variables steer the process in different directions, such as if the client already has a Temporary CAL, if the license server activated, or if there Full CALs available.  The following flowchart (figure 2) lists the complete process for all possible scenarios. 


Figure 2 (click to enlarge image)

Per-Device Mode Walkthrough(s)

Using the flowchart above, we will walk through the following three scenarios:

  • A client connecting that has no existing TS CAL
  • A client connecting with an existing Temp CAL
  • A client connecting with an existing Full CAL

Client with No Existing CAL

If a client does not have an existing Terminal Services CAL, the Terminal Server can still accept the connection if it is within its grace period.  However, once the grace period has ended, the client must either have a temporary CAL or a full CAL for the connection to be successful.  Remember, the grace period ends as soon as the Terminal Server discovers a license server on the network.  The following scenario assumes the grace period has ended.

  1. The client connects to the Terminal Server.
  2. The client presents its hardware ID from the following registry key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing\HardwareID

    Note:

    This unique hardware ID is generated automatically by the computer when the MSLicensing key is created. 
  3. The Terminal Server checks to see if a license server can be contacted.

    1. If no license server was found, the License Server Discovery Process is started in an attempt to locate a license server.  If a license server cannot be located, then the connection request is denied.

    2. If the license server has been found, the Terminal Server requests a Temporary CAL for the client, and forwards the hardware ID, client name and user name of the client.

  4. The license server sends the Temporary CAL to the Terminal Server, which in turn forwards the CAL to the client.

  5. The client stores the Temporary CAL in its registry under:
    HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing\Store00x

  6. The client completes the connection.

  7. Upon successful logon, the Terminal Server instructs the license server to mark the Temporary CAL as validated (or used).  From that point on, the Terminal Server will attempt to upgrade the Temporary CAL to a Full (permanent) CAL on each subsequent connection.
    Note:
    The process of validating the Temporary CAL ensures that only a client who has successfully logged on to the Terminal Server can obtain a Permanent CAL from the license server.  This prevents a DOS-style attack that plagued pre-SP3 Windows 2000 Terminal Servers.

Client with an Existing Temporary CAL

If a client has already been issued a Temporary CAL, then the Terminal Server will attempt to automatically upgrade the client to a permanent (Full) CAL each time the client connects.  If the Terminal Server is unable to upgrade the CAL, then the client may continue to connect to the Terminal Server until the Temporary CAL expires.

  1. The client connects to the Terminal Server.
  2. The client presents its Temporary CAL from the following registry key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing\Store00x
  3. The Terminal Server checks to see if it a license server can be contacted.

    1. If no license server was found, the License Server Discovery Process is started in an attempt to locate a license server.  If a license server cannot be located, then the connection request is permitted, provided the Temporary CAL has not expired.  If the CAL has expired, the connection request is denied.
    2. If the license server has been found, it checks if the license server has been activated and if there are any available Full CALs.  If there are no available Full CALs and the Temporary CAL has not yet expired, the connection is still permitted.  Otherwise, the connection is denied.

  4. When Full CALs are available, the license server will issue a Full CAL to the client, and perform the following:

    • Select a random expiration date, anywhere from 52-89 days.
    • Record the client’s hardware ID, client name, user name and Full CAL expiration date in the licensing database.
    • Decrement the CAL pool by 1.

  5. The license server sends the Full CAL to the Terminal Server, which in turn forwards the CAL to the client.
  6. The client stores the CAL in its registry under:
    HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing\Store00x
  7. The client completes the connection.

Client with an Existing Full (Permanent) CAL

When a client has a Full CAL, that CAL has an expiration date associated with it, and it must be periodically renewed by the issuing license server.

  1. The client connects to the Terminal Server.
  2. The client presents its Full CAL from the following registry key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing\Store00x
  3. The Terminal Server checks the expiration date on the Full CAL presented by the client.

    • If the CAL is not due to expire within the next 7 days (or has not expired), the connection accepted.
    • If the CAL is set to expire within 7 days, the Terminal Server will attempt to renew the CAL.
    • If the CAL has already expired, the Terminal Server will attempt to issue a new CAL for the client.

    Renewing a CAL

    3.1. The Terminal Server checks to see if it can contact the issuing license server.

    1. If the issuing license server can be contacted, it will renew the existing CAL. Upon renewal, the issuing license server will generate a new expiration date for the CAL, update the license database and forward the new CAL to the Terminal Server.
    2. If the issuing license server cannot be contacted, the client may connect until the CAL expires.

    Issuing a New CAL

    3.2. The Terminal Server checks to see if any activated license servers have available CALs.

    1. If an activated license server is located, a new CAL will be issued on behalf of the client. The license server will:

      • Select a random expiration date, anywhere from 52-89 days.
      • Record the client’s hardware ID, client name, user name and Full CAL expiration date in the licensing database.
      • Decrement the CAL pool by 1.

    2. If an activated license server cannot be located, the connection is denied. Once a client has obtained a Temporary or Full CAL, it cannot be issued another Temporary CAL because the CAL already exists in the client’s registry.

  4. The license server sends the renewed or reissued CAL to the Terminal Server, which in turn forwards the CAL to the client.
  5. The client stores the CAL in its registry under:
    HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing\Store00x
  6. The client completes the connection.

Final Notes

The CAL allocation process can seem complicated, but by understanding how the process works, you can better understand where things can go wrong and where to look when trouble arises.  Always verify the licensing mode of the Terminal Server in Terminal Services Configuration to be sure the server has not been inadvertently flipped from one mode to another.  Also, realize that the license server will never decrement the Per-User CAL pool(s) as these licenses are unmanaged.  Finally, check the event logs on the Terminal Server, License Server and the client for clues to where the trouble may lie.  In a future article, we will discuss troubleshooting techniques for locating where the process breaks down and how to correct it.

If you missed the first article in this series please read Terminal Services CAL Allocation Process (Part 1).

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top