Challenge Handshake Authentication Protocol

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication protocol that uses the industry-standard Message Digest 5 (MD5) hashing scheme to encrypt the response. CHAP is used by various vendors of network access servers (NASs) and clients. A server running Routing and Remote Access supports CHAP so that access clients that require CHAP can be authenticated. Because CHAP requires the use of a reversibly encrypted password, you should consider using another authentication protocol such as MS-CHAP version 2.

To enable CHAP-based authentication, you must do the following:

  1. Enable CHAP as an authentication protocol on the network access server.

  2. Enable CHAP on the appropriate network policy in NPS.

  3. Enable storage of a reversibly encrypted form of the user password.

    You can enable storage of a reversibly encrypted form of the user password per user account or enable storage for all accounts in a domain.

  4. Force a reset of the user password so that the new password is in a reversibly encrypted form.

    When you enable passwords to be stored in a reversibly encrypted form, the current passwords are not in a reversibly encrypted form and are not automatically changed. You must either manually change user passwords or set user passwords to be changed the next time each user logs on. After the password is changed, it is stored in a reversibly encrypted form.

    If you set user passwords to be changed the next time a user logs on, the user must log on by using a LAN connection and change the password before they attempt to log on by using a remote access connection and CHAP. You cannot change passwords during the authentication process by using CHAP because the logon attempt fails. One workaround for the remote access user is to temporarily log on by using MS-CHAP to change the password.

  5. Enable CHAP on the access client.

Additional considerations

Following are additional things to consider before deploying CHAP:

  • When users passwords expire, CHAP does not provide the ability for them to change passwords during the authentication process.

  • Verify that your NAS supports CHAP before you enable it on a network policy on an NPS server. For more information, see your NAS documentation.

  • You cannot use Microsoft Point-to-Point Encryption (MPPE) with CHAP.