Published: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

The Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication protocol that uses the industry-standard Message Digest 5 (MD5) hashing scheme to encrypt the response. CHAP is used by various vendors of network access servers and clients. A server running Routing and Remote Access supports CHAP so that remote access clients that require CHAP are authenticated. Because CHAP requires the use of a reversibly encrypted password, you should consider using another authentication protocol, such as MS-CHAP version 2.

To enable CHAP-based authentication, you must do the following:

  1. Enable CHAP as an authentication protocol on the remote access server. CHAP is disabled by default.

  2. Enable CHAP on the appropriate network policy.

  3. Enable storage of a reversibly encrypted form of the user password.

    You can enable storage of a reversibly encrypted form of the user password per user account or enable storage for all accounts in a domain.

  4. Force a reset of the user password so that the new password is in a reversibly encrypted form.

    When you enable passwords to be stored in a reversibly encrypted form, the current passwords are not in a reversibly encrypted form and are not automatically changed. You must either reset user passwords or set user passwords to be changed the next time each user logs on.

    If you set user passwords to be changed the next time a user logs on, the user must log on by using a local area network (LAN) connection and change the password before the user attempts to log on with a remote access connection by using CHAP. You cannot change passwords during the authentication process by using CHAP; the logon attempt fails. One workaround for the remote access user is to temporarily log on by using MS-CHAP to change the password.

  5. Enable CHAP on the remote access client.

Additional considerations

  • If your password expires, CHAP cannot change passwords during the authentication process.

  • Make sure your network access server (NAS) supports CHAP before you enable it on a network policy on an NPS server. For more information, see your NAS documentation.

  • You cannot use Microsoft Point-to-Point Encryption (MPPE) with CHAP.