Password Authentication Protocol

Applies To: Windows Server 2008, Windows Server 2008 R2

Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure authentication protocol. It is typically negotiated if the access client and network access server (NAS) cannot negotiate a more secure authentication method.

To enable PAP-based authentication, you must do the following:

  1. Enable PAP as an authentication protocol on the network access server.

  2. Enable PAP on the appropriate network policy in Network Policy Server (NPS).

  3. Enable PAP on the access client.


When you enable PAP as an authentication protocol, user passwords are sent in plaintext form. Anyone capturing the packets of the authentication process can easily read the password and use it to gain unauthorized access to your intranet. The use of PAP is highly discouraged, especially for virtual private network connections.

Additional considerations

Following are additional things to consider before deploying PAP:

  • If you deploy a dial-up server, by disabling the support for PAP on the NAS you ensure that plaintext passwords are never sent by dial-up clients. Disabling support for PAP increases authentication security, but remote access clients who only support PAP cannot connect.

  • When users passwords expire, PAP does not provide the ability for them to change passwords during the authentication process.

  • Make sure your NAS supports PAP before you enable it on a network policy on an NPS server. For more information, see your NAS documentation.

  • You cannot use Microsoft Point-to-Point Encryption (MPPE) with PAP.