Article ID: 287687
Article Last Modified on 3/29/2007
APPLIES TO
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Service Pack 2
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
This article was previously published under Q287687
SYMPTOMS
This article describes two enhancements to Windows 2000 Terminal Services Licensing for Windows 2000 that are available as an update in Microsoft Security Bulletin MS01-052. These enhancements are Post Logon License Token Issuance and Automatic License Token Re-issuance. The Microsoft Security Bulletin MS01-052 also contains the fix that is described in the following Microsoft Knowledge Base article:
294729 Terminal Services Clients Consume Multiple Terminal Services CALs Because of Storage Issues
RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The following files are available for download from the Microsoft Download Center:
![[GRAPHIC: Download]](/wiki/index.php?title=File:Download.gif){kind=small}
English Language Version
Chinese (Simplified) Language Version
Chinese (Traditional) Language Version
Czech Language Version
Dutch Language Version
French Language Version
German Language Version
Hungarian Language Version
Italian Language Version
Japanese Language Version
Korean Language Version
Polish Language Version
Portuguese (Brazilian) Language Version
Portuguese Language Version
Russian Language Version
Spanish Language Version
Swedish Language Version
Turkish Language Version
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The English version of this fix should have the following file attributes or later:
Date Time Version Size File name
-------------------------------------------------------
5/30/2001 04:50p 5.0.2195.3649 122,640 Icaapi.dll
5/29/2001 10:19a 5.0.2195.3649 93,456 Licmgr.exe
5/30/2001 04:48p 5.0.2195.3657 330,000 Lserver.exe
5/30/2001 04:50p 5.0.2195.3649 26,384 Mstlsapi.dll
5/29/2001 10:19a 5.0.2195.3649 141,584 Termsrv.exe
5/30/2001 04:50p 5.0.2195.3649 23,312 Tls236.dll
IMPORTANT: This hotfix must be applied to all Terminal Servers and Terminal Services Licensing Servers. Only TS CAL tokens that are issued after the application of this hotfix will utilize re-issuance logic.
The updated files to correct the problem that is described in this article are superceded by files provided through the following Microsoft Knowledge Base article and included in Security Update MS01-52. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
307454 MS01-052: Invalid RDP Data Can Cause Terminal Services Failure
Microsoft recommends that you read the Security Update bulletin, and then apply the fix that is available as a download from the bulletin if you determine that your computer may be at risk. This will also correct the problems that are described in this article.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.
MORE INFORMATION
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:
265173 The Datacenter Program and Windows 2000 Datacenter Server Product
For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:
296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot
Post Logon License Token Issuance
Current Behavior
Windows 2000 Terminal Servers issue Terminal Services CAL (TS CAL) tokens to all clients after they connect by using the Terminal Services client. The TS CAL token is presented to the device before a user enters credentials and is granted or denied access to connect.
Enhanced Behavior
When an unlicensed client connects for the first time, the Terminal Server issues a temporary TS CAL token. After the user has logged into the session, the Terminal Server instructs the License Server to mark the issued temporary TS CAL token as being validated. The next time the client connects, an attempt is made to upgrade the validated temporary TS CAL token to a full TS CAL token. If no license tokens are available, the temporary TS CAL token will continue to function for 90 days.
This enhancement is designed to prevent TS CALs from being inadvertently allocated to devices that are not intended to be licensed for Terminal Services usage. To allocate a TS CAL token to a device, a successful logon to a Terminal Server must occur. However, this does not prevent users who are authorized to log on to a Terminal Server from logging on from devices that the organization does not intend to license. If this happens, a TS CAL token is still assigned to the device.
Automatic License Token Re-issuance
Current Behavior
TS CAL tokens are issued for each device, and are stored locally on each device that connects to a Windows 2000 Terminal Server. If a device loses this TS CAL token through hard disk failure, clean reinstallation, or other method, the TS CAL token remains assigned to that device. The only way to recover this TS CAL token is to place a phone call to the Microsoft Clearinghouse. The telephone number is (888) 571-2048.
Enhanced Behavior
An expiration period has been added to each TS CAL token that is issued. This expiration period is a random number of days between 52-89 days of issuance. When a client connects to a Terminal Server, this date is checked. If the expiration is within 7 days, the Terminal Server connects to the License Server and renews the TS CAL token, giving it another expiration period of 52-89 days. If the License Server is not available, the TS CAL token functions as normal, with the Terminal Server attempting to replace it at each login. Upon expiration, the License Server returns any TS CAL token that has not been renewed to the group of available license tokens.
For example, an unlicensed device connects and receives a TS CAL token with an expiration period set at the maximum of 89 days. The device's operating system is then reinstalled. The device then connects again. Because no other TS CAL tokens are available, the device is issued a temporary TS CAL token so it can connect for 90 days. On day 89, the original TS CAL token is returned to the group of available licenses. The next time this device connects, the Terminal Server presents the device with the full TS CAL token that was returned to the group of available license tokens.
With the addition of these fixes, it should not be necessary to call the Microsoft Clearinghouse to recover lost license tokens. If a device loses its license token, the administrator can be confident that license tokens that are issued after the enhancement was installed will be recovered automatically.
IMPORTANT: There are a few cases in which license tokens will not be recovered automatically:
- License tokens are issued prior to the installation of this hotfix. Only TS CAL tokens that are issued after the installation of this fix will utilize the re-issuance logic. A TS CAL token that is issued to a device prior to the installation of this hotfix will remain assigned to that device. The Clearinghouse must be contacted to recover any TS CAL tokens that are issued prior to the installation of this hotfix. Because of this, it is important that this hotfix be installed on all Terminal Servers and Terminal Services Licensing Servers in an enterprise.
- Catastrophic failure that results in the loss of the licensing database. In the event of a failure that results in the loss of the licensing database when a known good backup is not available, Terminal Services Licensing must be reinstalled and reactivated. The Clearinghouse will then need to reissue any previously issued License Key Packs. The License Key Packs that were originally issued are based on the License Server ID at the time of issuance. If the License Server ID changes, License Key Packs that are based on the old License Server ID cannot be installed.
NOTE: These enhancements are designed to reduce the administrative overhead in managing Terminal Services Licensing. The terms of the licensing agreements for Terminal Services remains unchanged. As in the Terminal Services End User License Agreement (EULA), each device that connects to a Windows 2000 Terminal Server must be allocated a Terminal Services CAL (or be running Windows 2000 Professional).
315404 Clients with Expired Temporary License May Be Unable to Connect
311401 Windows 2000 Security Rollup Package 1 (SRP1), January 2002
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes
Expired License Handling
A cleanup process runs daily on the license server. The process looks for any license tokens that have not been renewed (i.e. that are completely expired) and returns them to the available pool. Clients do not have to connect for expired license tokens to be recovered.
Additional query words: kbTermServ win2000hotperf
Keywords: kbbug kbfix kbwin2000presp3fix kbgraphxlinkcritical kbqfe kbwin2000sp3fix kbenv kbtermserv kbhotfixserver KB287687
