CHAP

Applies To: Windows 7, Windows Server 2008 R2

The Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication protocol that uses the Message-Digest 5 (MD5) hashing scheme to encrypt the response. CHAP is used by various vendors of network access servers and clients. An RRAS server supports CHAP so that remote access clients that require CHAP are authenticated.

Security Note
We recommend that you do not use CHAP because it requires the use of a reversibly encrypted password and uses the MD5 algorithm. It is included for backward compatibility only.

To enable CHAP-based authentication, you must do the following:

  1. Enable CHAP as an authentication protocol on the remote access server. (CHAP is disabled by default.)

  2. Enable CHAP on the appropriate network policy.

  3. Enable storage of a reversibly encrypted form of the user password. You can do this per user account or for all accounts in a domain.

  4. Force a reset of the user password so that the new password is in a reversibly encrypted form. When you enable passwords to be stored in a reversibly encrypted form, the current passwords are not in a reversibly encrypted form and are not automatically changed. You must either reset user passwords or set user passwords to be changed the next time each user logs on.

Important

If you set user passwords to be changed the next time a user logs on, the user must log on by using a local area network (LAN) connection and change the password before the user attempts to log on with a remote access connection by using CHAP. You cannot change passwords during the authentication process by using CHAP; the logon attempt fails. One workaround for the remote access user is to temporarily log on by using MS-CHAP to change the password.

  1. Enable CHAP on the remote access client.

Additional considerations

  • If your password expires, CHAP does not support the changing of passwords during the authentication process.

  • Make sure your network access server (NAS) supports CHAP before you enable it on a network policy on a server running NPS. For more information, see your NAS documentation.

  • You cannot use Microsoft Point-to-Point Encryption (MPPE) with CHAP.

Additional references