Wednesday, March 28, 2012

Microsoft SQL 2005 Licensing & ASP.NET applications

I am having a nightmare getting an answer about what type of licensing I will need for the standard addition of SQL Server 2005 for my asp.net application and wonder if anyone has any advice.

As I see it its very simple, I have a web app that makes a connection to SQL via a connection string using a single username and password, no impersonation just straight SQL authentication.

For this simple scenario I figured I would need to get a SQL 2005 license and then 1 Client access license (CAL), this being a nice affordable way of doing things BUT I am being told by different sources, that I may need to license on a per processor basis as any user of my web application, anonymous or otherwise needs a client access license and given that I don't know how many users are going to access my website I would need to go for the larger outlay and purchase two standard processor license (my sql server is a dual processor machine).

Can anyone tell me if this is the case, is a connection from a ASP.Net website to a SQL server for my website visitors regarded as a new client and therefore needs a client access license or the large investment of a per processor license?

I would stick with SQL Express but at 4gigs max it won't do the job.

Thanks in advance.

SQL Server license since 2000 is per processor not CAL and I cannot understand how you think you need just one CAL when you know Express 4gig is too small for your needs. Hope this helps.|||

No it doesn't help...

Microsoft advertise CAL as a licensing option along side the processor option and given its a web app with just one connection doing all the work why wouldn't I think I only need one CAL, do you have anything else to add?

|||The only way you can use one CAL is you have only one user, your other choice is to use the Smallbusiness Server SQL Server but I think you will get more from Express because the Smallbusiness Server comes with SQL Server 2000.|||

The small business server is overkill; it's a simple website using sql 2005 as the database.

Just to go over it again. I have a public internet facing website that creates a connection to SQL 2005, in my mind this is a single user, the website is the only user of the SQL server so in that case I need just one CAL, what do you think, that has to be correct doesn't it?

SQL 2005 isn't any use due to the 4gig limit.

|||

I have been in a shop with 68 SQL Servers trust me if 4gig is not enough for you, then you need a per processor license. And the Smallbusines server is not an over kill because you can choose to use only the SQL Server and it will cost you less than $1000 and 75 concurrent users.

|||

SBS is not an ideal for a single N-Tier application so we can forget that. 4gig isnt enough so we can discount Express. Now given we have cut through the dead wood and are now look at the heart of the matter, i will reiterate it just one more time:

If i have an ASP.NET application connecting to an SQL Server via a single connection am I able to use a single CAL?

If you are unsure of the answer please dont mention SBS or Express again otherwise we could be here all night :-)

|||The answer is no.|||Why?|||The answer is your single connection is just for the Asp.net worker process not a live user, and if you send email that is another user. The best thing to do is call your local Microsoft office and have a SQL Server local resource contact you.|||

So what you are saying is you dont know?

If the .net worker process connects and returns data I agree that's one client access, the SQL server isn't sending email or doing anything other than being a database so hence I conclusion that I only need to purchase a single CAL. The reason for my posting is because my Microsoft Office here seems unsure themselves!

|||No I am not telling you I don't know the number of cal you use depends on your write users how many will write in the database. So count your INSERT and UPDATE users and you will have an idea of how many cals you need and I don't think it will be one.|||

Why would it not be one user? In web application development it would be foolhardy to develop an application that allowed for multiple read write accounts when a website traditionally allows anonymous access. If you read most Microsoft best practices you will find that they specify a web application user account that allows for the execution of stored procedures and that's it no other accounts, no insert account or update account or a special forgotten sa account that lets Mr foobar hacker traverse directories via a script injection.

So given we hope that most web applications have minimal sql accounts do you agree that I need the bare minimum CAL's or do you have any other thoughts?

|||

No I don't the shop with 68 SQL Servers and one Oracle was a bank and every account is a write user. SQL injection is not permission related my MCDBA was when there are no books on SQL Server 7.0. The link below is one of the oldest software retailers online most of your questions are answered. Stored proc execution through DBO(database owner) is not related to write permissions. And SQL Server permissions are implemented by Microsoft but defined by ANSI SQL.

http://www.provantage.com/sql-server-standard-edition-32-bit-windows~220152612.htm

|||

Ok we are off the topic now and you kind of asked for this so sorry in advance...

SQL injection can relate to permissions, if you don't have the correct permissions you are susceptible to all sorts of injection if your web application allows it. You clearly have no experience of SQL in the environment that I entitled my original post and without descending into the kind of flaming exercise I have seen on many other forums, can i just say that roaming around posting glib answers may give you a large number at the end of your screen name but it isn't helping anyone and its making you look a little silly.

Oh and if had wanted the advice of a retailer I would of gone to my local supermarket and asked on of the chaps behind the till the question.

There I said it and now that this post has sunk to this level i guess I will need to ask my question else where!

No comments:

Post a Comment