Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2


Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure authentication protocol. It is typically negotiated if the remote access client and remote access server cannot negotiate a more secure form of validation.

To enable PAP-based authentication, you must do the following:

  1. Enable PAP as an authentication protocol on the remote access server. For more information, see Enable authentication protocols. PAP is disabled by default.

  2. Enable PAP on the appropriate remote access policy. For more information, see Configure authentication. PAP is disabled by default.

  3. Enable PAP on the remote access client. For more information, see Password Authentication Protocol (PAP).


  • When you enable PAP as an authentication protocol, user passwords are sent in plaintext form. Anyone capturing the packets of the authentication process can easily read the password and use it to gain unauthorized access to your intranet. The use of PAP is highly discouraged, especially for virtual private network connections.


  • By disabling the support for PAP on the remote access server, plaintext passwords are never sent by the dial-up client. Disabling support for PAP increases authentication security, but remote access clients who only support PAP cannot connect.

  • If your password expires, PAP cannot change passwords during the authentication process.

  • Make sure your network access server (NAS) supports PAP before you enable it on a remote access policy on an IAS server. For more information, see your NAS documentation.

  • You cannot use Microsoft Point-to-Point Encryption (MPPE) with PAP.