Microsoft KB Archive/264908

= Error Message: HTTP 403.15 - Forbidden: Client Access Licenses exceeded =

Article ID: 264908

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q264908



Notice
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
When you connect to Microsoft Internet Information Services by using a browser, you may receive the following error message:

HTTP 403.15 - Forbidden: Client Access Licenses exceeded

Internet Information Services

The number of authenticated users has exceeded the number of Client Access Licenses (CAL).

The Event Viewer may log the following error messages:

Event ID: 27

Source: W3SVC

Description: The server was unable to acquire a license for a SSL connection.

Event ID: 201

Source: LicenseService

Description: No license was available for user using product IIS 5.0.



CAUSE
This problem is caused by one of two things:
 * The number of authenticated users has exceeded the number of Client Access Licenses (CAL).
 * The number of Secure Socket Layer (SSL) users (anonymous or authenticated) has exceeded the number of CALs installed on the server.

Note If the License Logging Service is stopped, only ten concurrent SSL connections are accepted.



RESOLUTION
There are two counters at work in this scenario:
 * a counter for CALs
 * a counter for SSL connections

By default, the SSL connection limit is set to the number of CALs, which also applies to anonymous SSL connections. Microsoft is aware of this issue and a hotfix is available that will allow an unlimited number of SSL connections regardless of the number of CALs.

Service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Hotfix information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date      Time       Version        Size     File name --  6/1/2000  9:46:36AM  5.0.2195.2096  356,112  W3svc.dll



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section. This problem was first corrected in Windows 2000 Service Pack 2.



MORE INFORMATION
Note This section describes the behavior of the problem as it exists without the hotfix that is mentioned in the &quot;Resolution&quot; section.

SSL connection counting: Each SSL connection (anonymous or authenticated) decrements the SSL connection counter. This counter is initialized with the total number of CALs that are installed on the system. For example, if you have 10 CALs installed on a Web server, then the server will support up to 10 concurrent SSL connections.

To better understand CALs and SSL connection counting, review the following scenarios:
 * An anonymous user browses a public Web site. No CALs are consumed. Anonymous users do not consume CALs.
 * An anonymous user attempts to access a page that requires a logon. The user is authenticated and granted access to the page. One CAL is consumed. Each uniquely authenticated user consumes one CAL.
 * An anonymous user attempts to access a page that requires a logon. The user is authenticated and granted access to the page. The same user opens a second Web browser and browses to the same page. He or she authenticates with the same username. One CAL is consumed. Each uniquely authenticated user consumes one CAL regardless of the number of connections to the same server.
 * An anonymous user browses to a commerce Web site and shops, adding items to a shopping cart. When this user goes to pay (transition into an SSL session), one SSL connection is consumed for that username. No CALs are consumed. SSL connections do not consume CALs, but the total number of SSL connections is limited to the number of CALs installed on the Web server.
 * A Web server has 20 CALs installed. It can support up to 20 authenticated users in addition to 20 SSL (anonymous and/or authenticated) connections concurrently. If a user is authenticated and using SSL, then a CAL is consumed and the SSL connection counter is decremented by one. Only the act of authenticating requires a CAL. Internet Information Server maintains a separate counter for SSL connections.
 * An anonymous user browses to an intranet Web site. The same user is also authenticated to the same Web server by an external authentication mechanism such as a UNC network share (\\ \ ). One CAL is consumed. The anonymous account does not consume CALs, but authenticated users do.
 * An anonymous user attempts to access a page requiring a logon. The user is authenticated and is granted access to the page. The user is also authenticated to the same Web server by an external authentication mechanism such as a universal naming convention (UNC) network share (\\ \ ) to the same server. One CAL is consumed. Each uniquely authenticated user consumes one CAL when connecting to the same Web server regardless of multiple connections.