MS-CHAP version 2
The Windows Server 2003 family includes support for version 2 of the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP v2), which provides stronger security for remote access connections. MS-CHAP v2 solves some issues of MS-CHAP version 1, as shown in the following table.
|
MS-CHAP version 1 issue
|
MS-CHAP version 2 solution
|
|
LAN Manager encoding of the response used for backward compatibility with older Microsoft remote access clients is cryptographically weak.
|
MS-CHAP v2 no longer allows LAN Manager encoded responses.
|
|
LAN Manager encoding of password changes is cryptographically weak.
|
MS-CHAP v2 no longer allows LAN Manager encoded password changes.
|
|
Only one-way authentication is possible. The remote access client cannot verify that it is dialing in to its organization's remote access server or a masquerading remote access server.
|
MS-CHAP v2 provides two-way authentication, also known as mutual authentication. The remote access client receives verification that the remote access server that it is dialing in to has access to the user's password.
|
|
With 40-bit encryption, the cryptographic key is based on the user's password. Each time the user connects with the same password, the same cryptographic key is generated.
|
With MS-CHAP v2, the cryptographic key is always based on the user's password and an arbitrary challenge string. Each time the user connects with the same password, a different cryptographic key is used.
|
|
A single cryptographic key is used for data sent in both directions on the connection.
|
With MS-CHAP v2, separate cryptographic keys are generated for transmitted and received data.
|
MS-CHAP v2 is a one-way encrypted password, mutual authentication process that works as follows:
-
The authenticator (the remote access server or the IAS server) sends a challenge to the remote access client that consists of a session identifier and an arbitrary challenge string.
-
The remote access client sends a response that contains:
-
The user name.
-
An arbitrary peer challenge string.
-
A one-way encryption of the received challenge string, the peer challenge string, the session identifier, and the user's password.
-
The authenticator checks the response from the client and sends back a response containing:
-
An indication of the success or failure of the connection attempt.
-
An authenticated response based on the sent challenge string, the peer challenge string, the encrypted response of the client, and the user's password.
-
The remote access client verifies the authentication response and, if correct, uses the connection. If the authentication response is not correct, the remote access client terminates the connection.
Enabling MS-CHAP v2
To enable MS-CHAP v2-based authentication, you must do the following:
-
Enable MS-CHAP v2 as an authentication protocol on the remote access server. For more information, see Enable authentication protocols. MS-CHAP v2 is enabled by default.
-
Enable MS-CHAP v2 on the appropriate remote access policy. For more information, see Introduction to remote access policies and Configure authentication. MS-CHAP v2 is enabled by default.
-
Enable MS-CHAP v2 on the remote access client. For more information, see Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).
Notes
-
Windows 95 with the Windows Dial-Up Networking 1.3 Performance & Security Upgrade for Windows 95 supports MS-CHAP v2 for virtual private network (VPN) connections but not for dial-up connections.
-
MS-CHAP (version 1 and version 2) is the only authentication protocol provided with the Windows Server 2003 family that supports password change during the authentication process.
-
Make sure your network access server (NAS) supports MS-CHAP v2 before you enable it on a remote access policy on an IAS server. For more information, see your NAS documentation.