Applies To: Windows Server 2008, Windows Server 2008 R2

Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure authentication protocol. It is typically negotiated if the remote access client and remote access server cannot negotiate a more secure form of validation.

PAP is included in Windows Server® 2008 so that:

  • Remote access clients running Windows 32-bit operating systems can connect to older remote access servers that do not support a secure authentication protocol.

  • Remote access clients running Microsoft operating systems that do not support a secure remote access protocol can connect to remote access servers running Windows 32-bit operating systems.

To enable PAP-based authentication, you must do the following:

  1. Enable PAP as an authentication protocol on the remote access server. PAP is disabled by default.

  2. Enable PAP on the appropriate network policy. PAP is disabled by default.

  3. Enable PAP on the remote access client.


When you enable PAP as an authentication protocol, user passwords are sent in plaintext form. Anyone capturing the packets of the authentication process can easily read the password and use it to gain unauthorized access to your intranet. The use of PAP is highly discouraged, especially for virtual private network (VPN) connections.

Additional considerations

  • By disabling the support for PAP on the remote access server, plaintext passwords are never sent by the dial-up client. Disabling support for PAP increases authentication security, but remote access clients who only support PAP cannot connect.

  • If your password expires, PAP cannot change passwords during the authentication process.

  • Make sure your network access server (NAS) supports PAP before you enable it on a network policy on a server running Network Policy Server (NPS). For more information, see your NAS documentation.

  • You cannot use Microsoft Point-to-Point Encryption (MPPE) with PAP.