If your application authenticates users (so you are able to uniquely identified a user) then you need to comply with microsoft licencing in this area which means A CAL for every user, if and only if, all of your users are internal to the company or if they are external users, you can go down to routes:
- Use Windows Server Web Edition - This provides unlimited connections for authenticated users
- Buy a Windows External Connector Licence - Again unlimited authenticated connections, but can be used on any version of the server.
I'm assuming here you are using SQL to do your authentiation, if you used Active Directory then it's different. By far the cheapest option here is to use Web Edition.
Before anyone here starts talking about only needing to deal with authentication licences if you are using Window's authentication mechanisms, that used to be the case, however the new licence terms state, any authentication method, including using SQL for user account storage, requires the correct licensing. I wasn't aware of this until I had to deal with it recently.
This is how MS phrase it:
A Windows Server 2008 Client Access
License (CAL) must be purchased for
every user or device that accesses or
uses the Windows Server 2008 or
Windows Server 2008 R2 server
software, except under the following
circumstances:
- If the instances of the server software are accessed only through the
Internet, without access being
authenticated or otherwise
individually identified by the server
software or through any other means
- If the server software being accessed is Windows Web Server 2008,
Windows Web Server 2008 R2, Windows
Server 2008 Foundation, or Windows
Server 2008 R2 Foundation
- If external users are accessing the instances of the server software and a
Windows Server 2008 External Connector
license for each server being accessed
has been acquired
Se here for more detials