What is Active Directory Licensing?
axes4 provides Active Directory licensing for organizations that operate an in-house Windows Active Directory (AD).
Active Directory licensing allows axes4 products to be licensed without any communication to axes4 servers.
The clients running an axes4 product must be a member of an Active Directory domain. Microsoft Entra ID (formerly Azure Active Directory) is not compatible; we provide separate Entra ID licensing for this.
Operating principle
The program folder of the axes4 license manager contains a Json file which contains the following information, among other things:
- SID of the AD domain (hashed)
- Name of an AD group that contains the licensed users
- Number of licensed users
- Expiration date of the license
The file has the naming scheme LicenseToken_...json..
axes4 products periodically check the following points:
- Is the current user a member of a domain whose SID matches the SID in the license file?
- Is the current user a member of the AD group listed in the license file?
- Does the number of users in the AD group match the number of users in the license?
- Is the current date within the validity period of the license?
If all four conditions are met, our axes4 products are activated – otherwise they run in demo mode.
How to proceed using axesWord as an example
- The organization purchases a license for Active Directory licensing from axes4.
- The admin creates a new AD group (example: “axesWord Users”) and adds the domain users who use axesWord to this group.
- The admin provides axes4 with information about their domain, receives a license token file and distributes it to the clients that use axesWord via Group Policy.
- The admin ad justs the registry value for the license manager on the clients via Group Policy.
Technical details
Powershell tool for creating the hashed SID
Active Directory licensing does not work with the name of a domain, but with its SID. To prevent axes4 from obtaining this potentially security-relevant information, the SID is hashed using a Powershell tool, which we provide here.
The Powershell script asks for the name of the domain and the AD group. If the domain is found, the tool creates a hash of the domain SID. The hashed SID and the AD group name are displayed on the command line; the admin then sends this information to axes4 by e-mail.
As always with Powershell, the script can be viewed directly so that there is transparency about how the SID is hashed.
Deploying the license token file
Using the information from the Powershell tool, axes4 creates a license token file (Json file) containing the information described above and sends it to the licensees.
This file must be distributed to the axes4 License Manager program folder of the clients using Group Policy (or a comparable deployment tool). The default path is:
C:\Program Files\axes4 License Manager
Modification of the registry value for the license manager
To activate Active Directory licensing, a registry value must be set for one of the following keys (with descending priority during processing):
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\axes4\Licensing\Manager
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\axes4\Licensing\Manager
Computer\HKEY_CURRENT_USER\Software\Policies\axes4\Licensing\Manager
Computer\HKEY_CURRENT_USER\Software\axes4\Licensing\Manager
Within these keys, the license manager searches for a string value with the name ActiveConnections and the value domain.
Licensing Manager. In the right part of the window, the string value 'ActiveConnections' with the value 'domain' is highlighted."
Changes to the AD group
If users are removed from the AD group or added to the AD group, domain clients do not update this information immediately. For performance reasons, we deliberately do not refresh the AD groups. It can therefore take up to 10 minutes after a user has been added until their group membership is confirmed and they are correctly licensed.
Random check of the number of licensed users
The check of the number of members in the AD group is not performant on the part of Windows AD. In order not to overload the domain controllers, this check only takes place sporadically, depending on the number of users.
AD subgroups, subdomains
The group of licensed users can contain subgroups.
It is also possible to add users or groups from subdomains to a parent domain group. If desired, a single license file can therefore be used for a parent domain and for several subdomains.
Exceeding the number of licensed users
If the AD group contains more members than specified in the license token file and if the random algorithm selects a client to count the group members, this one client will not be licensed. If the number of group members remains too high, this happens in the same way for subsequent clients. All other clients are not affected.
Flat licenses
Active Directory licensing includes the option of issuing flat licenses if an organization wishes to license all of its employees. There are two options:
Domain Flat
The system only checks whether a user belongs to the correct AD domain. There is no check for membership in an AD group.
Group Flat
The system checks whether a user belongs to the correct AD domain and whether they are a member of the specified AD group. An admin can use this group membership to control who receives a license. In contrast to standard AD licensing, the license manager in Group Flat does not check how many users are in the AD group.