Remote Access Services Authentication Summary

 Last reviewed: November 11, 1997
Article ID: Q136634
The information in this article applies to:
  • Microsoft Windows NT operating system version 3.1
  • Microsoft Windows NT Advanced Server version 3.1
  • Microsoft Windows NT Workstation versions 3.5, 3.51, and 4.0
  • Microsoft Windows NT Server version 3.5, 3.51, and 4.0
  • Microsoft Windows for Workgroups version 3.11
  • Microsoft Windows 95

SUMMARY

Windows NT Remote Access Services (RAS) supports several authentication and encryption methods. This article describes the these methods and provides examples of remote access clients that use them.

MORE INFORMATION

Windows NT RAS supports both the Password Authentication Protocol (PAP) and the Challenge-Handshake Authentication protocol (CHAP).

PAP

PAP uses clear text (unencrypted) password authentication. It is supported by the Windows NT RAS server for interoperability with 3rd party PPP clients. NetManage Chameleon and Trumpet Winsock are 3rd Party PPP clients that use PAP.

CHAP

CHAP requires a challenge response with encryption on the response. Windows NT RAS server supports the following encryption algorithms in conjunction with CHAP authentication: 

   RSA MD4 (or MS-CHAP)

   MS-CHAP is Microsoft's version of the RSA MD4 standard. This is the most
   secure encryption algorithm supported by Windows NT. MS-CHAP corresponds
   to the "Require Microsoft encrypted authentication" encryption setting
   for the RAS server. Both Windows NT and Windows 95 RAS clients will
   negotiate a PPP connection to a Windows NT RAS server using MS-CHAP as
   the encryption algorithm.

   DES

   DES is the encryption algorithm used by down-level Microsoft RAS clients
   such as Windows for Workgroups 3.11 RAS and RAS 1.1a. DES is supported
   by Windows NT for backward compatibility with down-level RAS clients.


   SPAP

   SPAP is Shiva's Password Authentication Protocol. Windows NT RAS server
   supports SPAP to allow dialin by Shiva clients. Unlike PAP, SPAP does
   send encrypted passwords over the wire as opposed to clear-text
   passwords.

   MD5

   Service Pack 3 provides limited PPP MD5-CHAP authenticator support to
   the Remote Access Server, which may be useful for small user-count
   environments using non-Microsoft PPP dial-in clients. The support is
   local to a given RAS server. The MD5 account information is stored in
   the RAS server registry and is not integrated or synchronized with
   the User Manager account database. Integrated support will appear in
   a later release, at which time this limited support may be removed.

   The local MD5-CHAP authenticator is enabled by creating the MD5 key
   below and adding "account" subkeys of the form [<domain>:]<user>,
   with subvalue "Pw" containing the account password. The ":" notation
   is used instead of "\" due to the syntax rules of registry keys. The
   'domain:' is optional and typically omitted. MD5-CHAP will not be
   negotiated (old behavior) when the MD5 key does not exist (default).

      HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\CHAP\MD5
      [<domain>:]<user>(REG_SZ)Pw

Encryption on Windows NT RAS Server

  • When you enable the "Require Microsoft encrypted authentication" selection, you can optionally enable "Require data encryption". This option uses the RC4 algorithm to encrypt data sent over the RAS session.
  • The "Require encrypted authentication" encryption setting authenticates clients that request the MS-CHAP, DES, or SPAP authentication methods.
  • The "Allow any authentication including clear text" encryption setting authenticates clients using any of the authentication methods requested by the client.

Encryption on the Windows NT RAS Client

The Widows NT RAS client supports all authentication standards supported by the Windows NT RAS server except SPAP. Additionally, the Windows NT RAS client supports the RSA MD5-CHAP encryption standard.

By supporting RSA MD5, Windows NT PPP clients are able to connect to almost all 3rd Party PPP Servers. The Windows NT RAS server does not support RSA MD5 because this method requires a clear-text password at the server.

  • The "Accept any authentication including clear text" option permits the client to use any of the supported client authentication methods requested by the server.
  • The "Use clear text Terminal login only" option indicates the remote server uses a UNIX-style text mode login. When this option is selected, the client receives a Terminal window where login occurs. PAP is used as the authentication method if this option is enabled.
  • The "Require encrypted authentication" option is similar to the corresponding option for the Windows NT RAS server. For the RAS client, however, RSA MD5 may be used, but SPAP may not.
  • The "Accept only Microsoft encrypted authentication" option is also similar to the corresponding option for the Windows NT RAS server. This option permits the client to use only MS-CHAP.

Additional query words: prodnt 3.10 3.50 3.51 3.11 4.00 security Settings
win95
Keywords : ntras ntsecurity kbnetwork
Version : WinNT:3.1,3.5,3.51,4.0;Windows:3.11,95
Platform : WINDOWS

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: November 11, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.