MS-CHAP version 2

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

MS-CHAP version 2

The Windows Server 2003 family includes support for version 2 of the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP v2), which provides stronger security for remote access connections. MS-CHAP v2 solves some issues of MS-CHAP version 1, as shown in the following table.

MS-CHAP version 1 issue MS-CHAP version 2 solution

LAN Manager encoding of the response used for backward compatibility with older Microsoft remote access clients is cryptographically weak.

MS-CHAP v2 no longer allows LAN Manager encoded responses.

LAN Manager encoding of password changes is cryptographically weak.

MS-CHAP v2 no longer allows LAN Manager encoded password changes.

Only one-way authentication is possible. The remote access client cannot verify that it is dialing in to its organization's remote access server or a masquerading remote access server.

MS-CHAP v2 provides two-way authentication, also known as mutual authentication. The remote access client receives verification that the remote access server that it is dialing in to has access to the user's password.

With 40-bit encryption, the cryptographic key is based on the user's password. Each time the user connects with the same password, the same cryptographic key is generated.

With MS-CHAP v2, the cryptographic key is always based on the user's password and an arbitrary challenge string. Each time the user connects with the same password, a different cryptographic key is used.

A single cryptographic key is used for data sent in both directions on the connection.

With MS-CHAP v2, separate cryptographic keys are generated for transmitted and received data.

MS-CHAP v2 is a one-way encrypted password, mutual authentication process that works as follows:

  1. The authenticator (the remote access server or the IAS server) sends a challenge to the remote access client that consists of a session identifier and an arbitrary challenge string.

  2. The remote access client sends a response that contains:

    • The user name.

    • An arbitrary peer challenge string.

    • A one-way encryption of the received challenge string, the peer challenge string, the session identifier, and the user's password.

  3. The authenticator checks the response from the client and sends back a response containing:

    • An indication of the success or failure of the connection attempt.

    • An authenticated response based on the sent challenge string, the peer challenge string, the encrypted response of the client, and the user's password.

  4. The remote access client verifies the authentication response and, if correct, uses the connection. If the authentication response is not correct, the remote access client terminates the connection.

Enabling MS-CHAP v2

To enable MS-CHAP v2-based authentication, you must do the following:

  1. Enable MS-CHAP v2 as an authentication protocol on the remote access server. For more information, see Enable authentication protocols. MS-CHAP v2 is enabled by default.

  2. Enable MS-CHAP v2 on the appropriate remote access policy. For more information, see Introduction to remote access policies and Configure authentication. MS-CHAP v2 is enabled by default.

  3. Enable MS-CHAP v2 on the remote access client. For more information, see Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).

Notes

  • Windows 95 with the Windows Dial-Up Networking 1.3 Performance & Security Upgrade for Windows 95 supports MS-CHAP v2 for virtual private network (VPN) connections but not for dial-up connections.

  • MS-CHAP (version 1 and version 2) is the only authentication protocol provided with the Windows Server 2003 family that supports password change during the authentication process.

  • Make sure your network access server (NAS) supports MS-CHAP v2 before you enable it on a remote access policy on an IAS server. For more information, see your NAS documentation.