Applies To: Windows Server 2008, Windows Server 2008 R2

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP v2) is a one-way encrypted password, mutual authentication process that works as follows:

  1. The authenticator (the remote access server or the NPS server) sends a challenge to the remote access client that consists of a session identifier and an arbitrary challenge string.

  2. The remote access client sends a response that contains:

    • The user name.

    • An arbitrary peer challenge string.

    • A one-way encryption of the received challenge string, the peer challenge string, the session identifier, and the user password.

  3. The authenticator checks the response from the client and sends back a response containing:

    • An indication of the success or failure of the connection attempt.

    • An authenticated response based on the sent challenge string, the peer challenge string, the encrypted response of the client, and the user password.

  4. The remote access client verifies the authentication response and, if correct, uses the connection. If the authentication response is not correct, the remote access client terminates the connection.

Enabling MS-CHAP v2

To enable MS-CHAP v2-based authentication, you must do the following:

  1. Enable MS-CHAP v2 as an authentication protocol on the remote access server.

  2. Enable MS-CHAP v2 on the appropriate network policy. MS-CHAP v2 is enabled by default.

  3. Enable MS-CHAP v2 on the remote access client.

Additional considerations

  • MS-CHAP v2 is the only authentication protocol provided with the Windows Server® 2008 family that supports password change during the authentication process.

  • Make sure your network access server (NAS) supports MS-CHAP v2 before you enable it on a network policy on an NPS server. For more information, see your NAS documentation.