Microsoft Challenge Handshake Authentication Protocol v1

Applies To: Windows Server 2008, Windows Server 2008 R2

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), also known as MS-CHAP version 1, is a nonreversible, encrypted password authentication protocol. The challenge handshake process works as follows:

  1. The authenticator — the network access server (NAS) or the server running Network Policy Server (NPS) — sends a challenge to the access client that consists of a session identifier and an arbitrary challenge string.

  2. The access client sends a response that contains the user name and a nonreversible encryption of the challenge string, the session identifier, and the password.

  3. The authenticator checks the response and, if valid, the user credentials are authenticated.

If you use MS-CHAP as the authentication protocol, then you can use Microsoft Point-to-Point Encryption (MPPE) to encrypt the data sent on the PPP or PPTP connection.

MS-CHAP version 2 provides stronger security for network access connections than MS-CHAP. Consider using MS-CHAP version 2 instead of MS-CHAP.

Enabling MS-CHAP

To enable MS-CHAP-based authentication, you must do the following:

  1. Enable MS-CHAP as an authentication protocol on the network access server.

  2. Enable MS-CHAP on the appropriate network policy in NPS.

  3. Enable MS-CHAP on the access client.

Additional considerations

Following are additional things to consider before deploying MS-CHAP:

  • By default in Windows Server 2008, MS-CHAP v1 does not support LAN Manager authentication. If you want to allow the use of LAN Manager authentication with MS-CHAP v1 for older operating systems such as Windows NT 3.5x and Windows 95, see NPS: LAN Manager Authentication.

  • If MS-CHAP v1 is used as the authentication protocol, a 40-bit encrypted connection cannot be established if the user password is larger than 14 characters. This behavior affects both dial-up and VPN-based remote access and demand-dial connections.