Just like the title says. Does each authenticated WCF client connection to a WCF server that you have developed need a windows CAL?
http://www.microsoft.com/windowsserver2008/en/us/client-licensing.aspx
Microsoft's licensing on that page sure makes it sound like it, but I can't find anything out there that confirms, or even denies this.
Anyone know?
Yes, the answer is, you need a CAL or an external connector. If you have client systems or apps that access Windows Servers in an authenticated manner, then the clients need to be authorized either via a user-specific CAL, a device-specific CAL, or an external connector.
The CAL is appropriate for within-the-enterprise connections. The EC is for connections made from outside your enterprise, including partner companies, or the internet at large.
It does not matter whether you use WCF, DCOM, FTP, Telnet, or anything else to connect to Windows Server. For the purposes of licensing, the CAL-or-EC requirement doesn't distinguish between the technology used to communicate. The CAL-or-EC requirement comes in when you have authenticated access to the server, regardless of the kind.
Also according to the license, it does not matter if the authentication is performed by Active Directory. If you authenticate users with AD, then you need a CAL or EC, but if you authenticate with some other mechanism, for example, if you have an XML file with a list of users and password hashes, and your simple ASP.NET website authenticates users against that store, then you have authenticated access and you will need an EC or CAL for each user that authenticates.
The EC is not interchangeable with CALs. If you find that you have 500 internal users that need to authenticate, you cannot purchase a single EC and have them all covered according to the license. the External Connector is for External connections. Any licensing advisor that says an EC would be "a better solution" than buying CALs is misinformed. There is no decision to make. The Windows Server licensing terms are very clear (though maybe not broadly understood):
There is no choice to be made on your part, according to the licensing of Windows Server, whether to purchase CALs or EC. The requirement is set by the affiliation of the user. In fact in some cases you will need both CALs and an EC, if both internal and external users will authenticate to the same Windows Server.
The External Connector has a "Estimated Retail Price" of $1999US, but through a software distributor you will be able to get it much cheaper, even in single-digit units. Like $1300 or so. Likewise CALs have an "ERP" but you will pay less than ERP from software resellers.
What if I use Windows Web Server? Do I still have to buy User CALs for a web-application or web-based WCF service with its own authentication scheme on Windows Web Server? I thought Microsoft licensing makes an exception for Windows Web Server?
Second, here's what Microsoft says:
"You need a Client Access License for every user that you authenticate with the local SAM or Active Directory, except for the IUSR_servername account using anonymous authentication."
Does this means form-based authentication works without CALs? Basically, in form-based authentication, IIS gets configured for anonymous access, it impersonates IUSR_servername to access the application, and passes credential tokens to the application which does its own authentication, including the case where credentials are validated against an XML file.
I could be wrong and Microsoft has the final say, though it seems like there are cases where you provide web access using non-Windows authentication and avoid paying for User CALs?