How to Force 128-bit Data Encryption for RAS

ID: Q172215

The information in this article applies to:
  • Microsoft Windows NT Workstation version 4.0
  • Microsoft Windows NT Server version 4.0
  • Microsoft Windows 95

SUMMARY

With the release of the 128-bit Service Pack 3 (SP3) for Windows NT 4.0, RAS clients can now negotiate 128-bit RAS data encryption with a Windows NT 4.0 RAS server. Normal RAS data encryption is 40-bit. RAS clients that can take advantage of 128-bit data encryption are Windows NT Server or Workstation 4.0 with SP3 128-bit and Windows 95 Dial-Up Networking 1.2 128- bit.


MORE INFORMATION

To enable 128-bit RAS data encryption on an NT 4.0 SP3 128-bit RAS server, use the following steps:

  1. Double-click Network in Control Panel and click Services.


  2. Click Remote Access Service and click Properties.


  3. Click Network and click Require Microsoft encrypted authentication.


  4. Click Require data encryption and click OK.


  5. Click Continue and click Close.


  6. Click No when prompted to restart the computer.


  7. Start Registry Editor (Regedit.exe or Regedt32.exe).

    WARNING: Using Registry Editor incorrectly can cause serious, system- wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.


  8. Go to the following subkey in the HKEY_LOCAL_MACHINE hive: 
    
   SYSTEM\CurrentControlSet\Services\RasMan\PPP\COMPCP


  9. Click Edit, click Add Value, and enter the following information:
    Value Name: ForceStrongEncryption
    Value Type: DWORD
    Value Data: 1


  10. Exit Registry Editor and restart the computer.


With 128-bit RAS encryption enabled, you will see one or more event log messages in Event Viewer when RAS users connect using RAS or PPTP. If the RAS client supports 128-bit RAS data encryption, you will see the following event:
Event ID: 20107
Source: RemoteAccess
Description: The user RAS connected to port COM1 using strong encryption.
If the RAS client does not support 128-bit RAS data encryption, you will see the following event:
Event ID: 20077
Source: RemoteAccess
Description: An error occurred in the Point to Point Protocol module on port COM1. The remote computer does not support the required encryption type.
A Windows 95 client that fails with the above event log will receive the following error message:
Dial-Up Networking
Error 629: You have been disconnected from the computer you dialed.
Double-click the connection to try again.
A Windows NT client that fails with the above event log will receive the following error message:
Error Connecting to RAS server
Disconnected.
Error 629: The port was disconnected by the remote machine.


For additional information, please see the following article(s) in the Microsoft Knowledge Base:
Q147798 Windows NT 4.0 Service Pack 3 Readme.txt File (128-bit)
Q169895 Enabling 128-bit Encryption for Routing and Remote Access

Additional query words:

Keywords : kbnetwork dun ntras win95 ntnetserv NTSrvWkst
Version : WINDOWS:95; winnt:4.0
Platform : WINDOWS winnt
Issue type : kbinfo


Last Reviewed: October 27, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.