IAS Incorrectly Validates User Accounts

ID: Q197506

The information in this article applies to:
  • Microsoft Internet Authentication Service
  • Microsoft Commercial Internet System version 2.0
  • Microsoft Windows NT 4.0

SYMPTOMS

The Microsoft Internet Authentication Service incorrectly validates users in the following two cases:

Setup PAP authentication on the Network Access Server (NAS)
Have domain/local guest account enabled

Setup PAP or ms-chap authentication on the NAS
Uncheck "allow dial in" checkbox


CAUSE

The Internet Authentication Service did not verify that the guest account is enabled or that the user has "allow dial in" access.


RESOLUTION

A fix for this problem has been included on the Windows NT 4.0 Service Pack 6 (SP6) compact disc in the Support/Ias directory; however, it is not part of the Windows NT 4.0 SP6 standard install.

Note: SP6 is NOT required to install this fix; it may be installed on a computer running Windows NT 4.0 SP4, SP5, or SP6. This fix should be applied after you install or reinstall any service pack.

To resolve this problem, obtain the latest service pack for Windows NT 4.0 or the individual software update. For information on obtaining the latest service pack, please go to:

For information on obtaining the individual software update, contact Microsoft Product Support Services. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:
http://www.microsoft.com/support/supportnet/overview/overview.asp


STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article. This problem was first corrected in Windows NT 4.0 Service Pack 6.


MORE INFORMATION

NOTE: This fix also adds two new abilities:

  • Adds the ability to use standard Chap authentication (instead of MS-Chap) against a Windows NT 4.0 SP4 PDC/BDC. You need to install this fix on the IAS (Radius server) and every domain controller. Users will need to change their password the next time they log on. The password needs to be changed in either Windows NT User Manager or through a password change Web page. Microsoft does not support changing passwords with the Windows 95 Administrator tools for Windows NT. Password changes may take up to 30 minutes to replicate between all the PDCs and BDCs.




  • Adds support for MS-Chap 2.0 to Microsoft Radius. By default, an RRAS server running SP4 or later acting as a Radius client (NAS Server) will send an MS-Chap 2.0 request only (previous service packs send a MSCHAPV1 request). It is advisable to run the very latest service pack on RRAS and Microsoft Radius when doing Chap or MS-Chap authentication.


Microsoft Radius server also maintains support for MS-Chap 1.0 for compatibility with MS-Chap implementations from third-party NAS hardware vendors (Cisco, Ascend, and so on.)

Additional query words:

Keywords : Mcis2Sp2fix
Version : winnt:2.0,4.0
Platform : winnt
Issue type : kbbug


Last Reviewed: November 4, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.