Remote Access Services Authentication Summary (136634)
The information in this article applies to:
- Microsoft Windows NT Advanced Server 3.1
- Microsoft Windows NT Workstation 3.1
- Microsoft Windows NT Workstation 3.5
- Microsoft Windows NT Workstation 3.51
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Server 3.1
- Microsoft Windows NT Server 3.5
- Microsoft Windows NT Server 3.51
- Microsoft Windows NT Server 4.0
- Microsoft Windows for Workgroups 3.11
- Microsoft Windows 95
This article was previously published under Q136634 SUMMARY
Windows NT Remote Access Services (RAS) supports several
authentication and encryption methods. This article describes the these
methods and provides examples of remote access clients that use them.
MORE INFORMATION
Windows NT RAS supports both the Password Authentication Protocol (PAP) and
the Challenge-Handshake Authentication protocol (CHAP).
PAP
PAP uses clear text (unencrypted) password authentication. It is supported
by the Windows NT RAS server for interoperability with 3rd party PPP
clients. NetManage Chameleon and Trumpet Winsock are 3rd Party PPP clients
that use PAP.
CHAP
CHAP requires a challenge response with encryption on the response. Windows
NT RAS server supports the following encryption algorithms in conjunction
with CHAP authentication:
MS-CHAP is Microsoft's version of the RSA MD4 standard. This is the most
secure encryption algorithm supported by Windows NT. MS-CHAP corresponds
to the "Require Microsoft encrypted authentication" encryption setting
for the RAS server. Both Windows NT and Windows 95 RAS clients will
negotiate a PPP connection to a Windows NT RAS server using MS-CHAP as
the encryption algorithm.
DES is the encryption algorithm used by down-level Microsoft RAS clients
such as Windows for Workgroups 3.11 RAS and RAS 1.1a. DES is supported
by Windows NT for backward compatibility with down-level RAS clients.
SPAP is Shiva's Password Authentication Protocol. Windows NT RAS server
supports SPAP to allow dialin by Shiva clients. Unlike PAP, SPAP does
send encrypted passwords over the wire as opposed to clear-text
passwords.
Service Pack 3 provides limited PPP MD5-CHAP authenticator support to
the Remote Access Server, which may be useful for small user-count
environments using non-Microsoft PPP dial-in clients. The support is
local to a given RAS server. The MD5 account information is stored in
the RAS server registry and is not integrated or synchronized with
the User Manager account database. Integrated support will appear in
a later release, at which time this limited support may be removed.
The local MD5-CHAP authenticator is enabled by creating the MD5 key
below and adding "account" subkeys of the form [<domain>:]<user>,
with subvalue "Pw" containing the account password. The ":" notation
is used instead of "\" due to the syntax rules of registry keys. The
'domain:' is optional and typically omitted. MD5-CHAP will not be
negotiated (old behavior) when the MD5 key does not exist (default).
HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\CHAP\MD5
[<domain>:]<user>(REG_SZ)Pw
Encryption on Windows NT RAS Server- When you enable the "Require Microsoft encrypted authentication"
selection, you can optionally enable "Require data encryption". This
option uses the RC4 algorithm to encrypt data sent over the RAS session.
- The "Require encrypted authentication" encryption setting authenticates
clients that request the MS-CHAP, DES, or SPAP authentication methods.
- The "Allow any authentication including clear text" encryption setting
authenticates clients using any of the authentication methods requested
by the client.
Encryption on the Windows NT RAS Client
The Windows NT RAS client supports all authentication standards supported
by the Windows NT RAS server except SPAP. Additionally, the Windows NT RAS
client supports the RSA MD5-CHAP encryption standard.
By supporting RSA MD5, Windows NT PPP clients are able to connect to almost
all 3rd Party PPP Servers. The Windows NT RAS server does not support RSA
MD5 because this method requires a clear-text password at the server.
- The "Accept any authentication including clear text" option permits the
client to use any of the supported client authentication methods
requested by the server.
- The "Use clear text Terminal login only" option indicates the remote
server uses a UNIX-style text mode login. When this option is selected,
the client receives a Terminal window where login occurs. PAP is used
as the authentication method if this option is enabled.
- The "Require encrypted authentication" option is similar to the
corresponding option for the Windows NT RAS server. For the RAS client,
however, RSA MD5 may be used, but SPAP may not.
- The "Accept only Microsoft encrypted authentication" option is also
similar to the corresponding option for the Windows NT RAS server. This
option permits the client to use only MS-CHAP.
| Modification Type: | Major | Last Reviewed: | 3/15/2004 |
|---|
| Keywords: | kbnetwork KB136634 |
|---|
|