SSL Connections and Client Access Licenses
In a discussion about implementing IIS 5.0, the Microsoft article "Deploying Windows 2000 with IIS 5.0 for Dot Coms: Best Practices" (http://www.microsoft
.com/technet/iis/iisdtcom.asp) says, "Dot-com businesses must purchase enough Client Access Licenses (CALs) for all Secure Sockets Layer (SSL) connections."
Win2K requires you to have a CAL for each user that logs on, and the system limits the number of authenticated simultaneous logons to the number of CALs that you've purchased. The Win2K License Logging Service enforces this rule. If you disable this service, Win2K limits you to 10 connections.
Unknown to most administrators, a second counter—the SSL connection counter—exists separately from the authenticated user counter. Win2K and Win2K SP1 limit the number of SSL connections, even anonymous ones, to the number of CALs. An SSL session doesn't actually consume a CAL. In other words, if you have 10 CALs, you can have 10 authenticated users and 10 anonymous SSL connections simultaneously. Nevertheless, the limit on SSL connections exists, and if you exceed that limit, you get this message:
HTTP 403.15 - Forbidden: Client Access Licenses exceeded
Internet Information Services
The number of authenticated users has exceeded the number of Client Access Licenses (CAL).
It doesn't make sense that Win2K limits the number of anonymous SSL connections to the number of CALs that you've purchased, and Microsoft Product Support Services (PSS) has released a fix. For information about exceeding CALs in IIS 5.0, see the Microsoft article "Error Message: HTTP 403.15 - Forbidden: Client Access Licenses Exceeded" (http://support.microsoft.com/support/kb/articles/q264/9/08.asp). You can modify the registry to stop IIS 5.0 from checking in with the License Logging Service for permission to create an SSL session. To the HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\ Services\W3SVC\Parameters subkey, add the value name EnableCAL, of data type REG_DWORD and a value of 0. The Microsoft article "What's New in the Windows 2000 Server Licensing Model" (http://www.microsoft.com/windows2000/guide/server/pricing/changes.asp) explains that you won't violate your license agreement with Microsoft if you don't have as many CALs as you do anonymous SSL connections.
SSL and Wildcards
In IIS 4.0, if you host multiple sites or multiple servers that end in the same domain name (e.g., mysite.com), you can use a wildcard (e.g., *.mysite.com) in the common name (CN) portion of a certificate and bind that certificate to all the sites or servers. (You can use wildcards if your licensing permits multiple use.) Unfortunately, IIS 5.0 doesn't support CN wildcards. If an IIS 5.0 server's CN doesn't match the DNS name, a user's browser will display a message saying the certificate doesn't match the requested site and asking whether the user is sure he or she trusts the site. This isn't the type of message that e-businesses want users to see.
Microsoft plans a hotfix to correct IIS 5.0's inability to use CN wildcards. (Win2K SP1 doesn't fix the problem.) For more information about CN wildcards, see the Microsoft article "Accepted Wildcards Used by Server Certificates for Server Authentication" (http://support.microsoft.com/support/kb/articles/q258/8/58.asp).
Upgrade to IIS 5.0
Many other differences exist between IIS 5.0 and IIS 4.0, including changes in ASP, ODBC connection sharing, COM+, MetaEdit, security wizards and templates, and the registry. Most changes in IIS 5.0 are significant improvements and are clearly Microsoft's responses to the lessons learned in IIS 4.0. I encourage you to upgrade to IIS 5.0 as soon as feasible.
However, when you upgrade your system, remember that IIS 5.0 contains significant and hidden differences that can affect how you implement security, tuning, and coding. Now that you know about these changes, your IIS 5.0 upgrade can be more reliable, secure, and enjoyable.