CHAP

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

CHAP

The Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication protocol that uses the industry-standard Message Digest 5 (MD5) hashing scheme to encrypt the response. CHAP is used by various vendors of network access servers and clients. A server running Routing and Remote Access supports CHAP so that remote access clients that require CHAP are authenticated. Because CHAP requires the use of a reversibly encrypted password, you should consider using another authentication protocol such as MS-CHAP version 2.

To enable CHAP-based authentication, you must do the following:

  1. Enable CHAP as an authentication protocol on the remote access server. For more information, see Enable authentication protocols. CHAP is disabled by default.

  2. Enable CHAP on the appropriate remote access policy. For more information, see Introduction to remote access policies and Configure authentication.

  3. Enable storage of a reversibly encrypted form of the user's password.

    You can enable storage of a reversibly encrypted form of the user's password per user account or enable storage for all accounts in a domain. For more information, see Enable reversibly encrypted passwords in a domain.

  4. Force a reset of the user's password so that the new password is in a reversibly encrypted form.

    When you enable passwords to be stored in a reversibly encrypted form, the current passwords are not in a reversibly encrypted form and are not automatically changed. You must either reset user passwords or set user passwords to be changed the next time each user logs on. For more information, see Reset a user password. Once the password is changed, it is stored in a reversibly encrypted form.

    If you set user passwords to be changed the next time a user logs on, the user must log on by using a LAN connection and change the password before they attempt to log on with a remote access connection by using CHAP. You cannot change passwords during the authentication process by using CHAP--the logon attempt fails. One workaround for the remote access user is to temporarily log on by using MS-CHAP to change the password.

  5. Enable CHAP on the remote access client. For more information, see Challenge Handshake Authentication Protocol (CHAP).

Notes

  • If your password expires, CHAP cannot change passwords during the authentication process.

  • Make sure your network access server (NAS) supports CHAP before you enable it on a remote access policy on an IAS server. For more information, see your NAS documentation.

  • You cannot use Microsoft Point-to-Point Encryption (MPPE) with CHAP.