Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2


The Windows Server 2003 family includes support for the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), also known as MS-CHAP version 1. MS-CHAP is a nonreversible, encrypted password authentication protocol. The challenge handshake process works as follows:

  1. The authenticator (the remote access server or the IAS server) sends a challenge to the remote access client that consists of a session identifier and an arbitrary challenge string.

  2. The remote access client sends a response that contains the user name and a nonreversible encryption of the challenge string, the session identifier, and the password.

  3. The authenticator checks the response and, if valid, the user's credentials are authenticated.

If you use MS-CHAP as the authentication protocol, then you can use Microsoft Point-to-Point Encryption (MPPE) to encrypt the data sent on the PPP or PPTP connection.

The Windows Server 2003 family also includes support for MS-CHAP version 2. MS-CHAP version 2 provides stronger security for remote access connections than MS-CHAP. You should consider using MS-CHAP version 2 instead of MS-CHAP. For more information, see MS-CHAP version 2.

Enabling MS-CHAP

To enable MS-CHAP-based authentication, you must do the following:

  1. Enable MS-CHAP as an authentication protocol on the remote access server. For more information, see Enable authentication protocols. MS-CHAP is enabled by default.

  2. Enable MS-CHAP on the appropriate remote access policy. For more information, see Introduction to remote access policies and Configure authentication. MS-CHAP is enabled by default.

  3. Enable MS-CHAP on the remote access client. For more information, see Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).


  • MS-CHAP (version 1 and version 2) is the only authentication protocol provided with the Windows Server 2003 family that supports password change during the authentication process.

  • By default, the Windows Server 2003 family implementation of MS-CHAP v1 does not support LAN Manager authentication. If you want to allow the use of LAN Manager authentication with MS-CHAP v1 for older operating systems such as Windows NT 3.5x and Windows 95, you must set the following registry value to 1 on the authenticating server:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\Allow LM Authentication

    Windows 2000 Server supports LAN Manager authentication by default. Upgrading a computer running Windows 2000 Server to a member of the Windows Server 2003 family preserves the existing Allow LM Authentication setting.

  • If MS-CHAP v1 is used as the authentication protocol, a 40-bit encrypted connection cannot be established if the user's password is larger than 14 characters. This behavior affects both dial-up and virtual private network-based remote access and demand dial connections.


  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.