Challenge Handshake Authentication Protocol (CHAP)

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Challenge Handshake Authentication Protocol (CHAP)

Challenge Handshake Authentication Protocol (CHAP) is a widely supported authentication method in which a representation of the user's password, rather than the password itself, is sent during the authentication process. With CHAP, the remote access server sends a challenge to the remote access client. The remote access client uses a hash algorithm (also known as a hash function) to compute a Message Digest-5 (MD5) hash result based on the challenge and a hash result computed from the user's password. The remote access client sends the MD5 hash result to the remote access server. The remote access server, which also has access to the hash result of the user's password, performs the same calculation using the hash algorithm and compares the result to the one sent by the client. If the results match, the credentials of the remote access client are considered authentic. A hash algorithm provides one-way encryption, which means that calculating the hash result for a data block is easy, but determining the original data block from the hash result is mathematically infeasible.

To configure a connection for CHAP, see Configure identity authentication and data encryption settings.


  • You cannot use Microsoft Point-to-Point Encryption (MPPE) if CHAP is used to authenticate the connection.

  • If you are using CHAP to authenticate a connection to a remote access server running Windows 2000 and Routing and Remote Access, the user account of the connecting client must be configured to allow the storage of the password in a reversibly encrypted form. For more information on configuring user accounts for storing a reversibly encrypted form of a password, see Enable reversibly encrypted passwords in a domain.