Microsoft Challenge Handshake Authentication Protocol v1
Applies To: Windows Server 2008, Windows Server 2008 R2
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), also known as MS-CHAP version 1, is a nonreversible, encrypted password authentication protocol. The challenge handshake process works as follows:
The authenticator — the network access server (NAS) or the server running Network Policy Server (NPS) — sends a challenge to the access client that consists of a session identifier and an arbitrary challenge string.
The access client sends a response that contains the user name and a nonreversible encryption of the challenge string, the session identifier, and the password.
The authenticator checks the response and, if valid, the user credentials are authenticated.
If you use MS-CHAP as the authentication protocol, then you can use Microsoft Point-to-Point Encryption (MPPE) to encrypt the data sent on the PPP or PPTP connection.
MS-CHAP version 2 provides stronger security for network access connections than MS-CHAP. Consider using MS-CHAP version 2 instead of MS-CHAP.
To enable MS-CHAP-based authentication, you must do the following:
Enable MS-CHAP as an authentication protocol on the network access server.
Enable MS-CHAP on the appropriate network policy in NPS.
Enable MS-CHAP on the access client.
Following are additional things to consider before deploying MS-CHAP:
By default in Windows Server 2008, MS-CHAP v1 does not support LAN Manager authentication. If you want to allow the use of LAN Manager authentication with MS-CHAP v1 for older operating systems such as Windows NT 3.5x and Windows 95, see NPS: LAN Manager Authentication.
If MS-CHAP v1 is used as the authentication protocol, a 40-bit encrypted connection cannot be established if the user password is larger than 14 characters. This behavior affects both dial-up and VPN-based remote access and demand-dial connections.