MS-CHAP

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

MS-CHAP

The Windows Server 2003 family includes support for the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), also known as MS-CHAP version 1. MS-CHAP is a nonreversible, encrypted password authentication protocol. The challenge handshake process works as follows:

  1. The authenticator (the remote access server or the IAS server) sends a challenge to the remote access client that consists of a session identifier and an arbitrary challenge string.

  2. The remote access client sends a response that contains the user name and a nonreversible encryption of the challenge string, the session identifier, and the password.

  3. The authenticator checks the response and, if valid, the user's credentials are authenticated.

If you use MS-CHAP as the authentication protocol, then you can use Microsoft Point-to-Point Encryption (MPPE) to encrypt the data sent on the PPP or PPTP connection.

The Windows Server 2003 family also includes support for MS-CHAP version 2. MS-CHAP version 2 provides stronger security for remote access connections than MS-CHAP. You should consider using MS-CHAP version 2 instead of MS-CHAP. For more information, see MS-CHAP version 2.

Enabling MS-CHAP

To enable MS-CHAP-based authentication, you must do the following:

  1. Enable MS-CHAP as an authentication protocol on the remote access server. For more information, see Enable authentication protocols. MS-CHAP is enabled by default.

  2. Enable MS-CHAP on the appropriate remote access policy. For more information, see Introduction to remote access policies and Configure authentication. MS-CHAP is enabled by default.

  3. Enable MS-CHAP on the remote access client. For more information, see Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).

Notes

  • MS-CHAP (version 1 and version 2) is the only authentication protocol provided with the Windows Server 2003 family that supports password change during the authentication process.

  • By default, the Windows Server 2003 family implementation of MS-CHAP v1 does not support LAN Manager authentication. If you want to allow the use of LAN Manager authentication with MS-CHAP v1 for older operating systems such as Windows NT 3.5x and Windows 95, you must set the following registry value to 1 on the authenticating server:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\Allow LM Authentication

    Windows 2000 Server supports LAN Manager authentication by default. Upgrading a computer running Windows 2000 Server to a member of the Windows Server 2003 family preserves the existing Allow LM Authentication setting.

  • If MS-CHAP v1 is used as the authentication protocol, a 40-bit encrypted connection cannot be established if the user's password is larger than 14 characters. This behavior affects both dial-up and virtual private network-based remote access and demand dial connections.

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.