Remote Access Services Authentication Summary

ID: Q136634

The information in this article applies to:
  • Microsoft Windows NT 3.1
  • Microsoft Windows NT Advanced Server, version 3.1
  • Microsoft Windows NT Workstation versions 3.5, 3.51, 4.0
  • Microsoft Windows NT Server versions 3.5, 3.51, 4.0
  • Microsoft Windows for Workgroups version 3.11
  • Microsoft Windows 95

SUMMARY

Windows NT Remote Access Services (RAS) supports several authentication and encryption methods. This article describes the these methods and provides examples of remote access clients that use them.


MORE INFORMATION

Windows NT RAS supports both the Password Authentication Protocol (PAP) and the Challenge-Handshake Authentication protocol (CHAP).

PAP

PAP uses clear text (unencrypted) password authentication. It is supported by the Windows NT RAS server for interoperability with 3rd party PPP clients. NetManage Chameleon and Trumpet Winsock are 3rd Party PPP clients that use PAP.

CHAP

CHAP requires a challenge response with encryption on the response. Windows NT RAS server supports the following encryption algorithms in conjunction with CHAP authentication:
RSA MD4 (or MS-CHAP)
MS-CHAP is Microsoft's version of the RSA MD4 standard. This is the most secure encryption algorithm supported by Windows NT. MS-CHAP corresponds to the "Require Microsoft encrypted authentication" encryption setting for the RAS server. Both Windows NT and Windows 95 RAS clients will negotiate a PPP connection to a Windows NT RAS server using MS-CHAP as the encryption algorithm.
DES
DES is the encryption algorithm used by down-level Microsoft RAS clients such as Windows for Workgroups 3.11 RAS and RAS 1.1a. DES is supported by Windows NT for backward compatibility with down-level RAS clients.
SPAP
SPAP is Shiva's Password Authentication Protocol. Windows NT RAS server supports SPAP to allow dialin by Shiva clients. Unlike PAP, SPAP does send encrypted passwords over the wire as opposed to clear-text passwords.
MD5
Service Pack 3 provides limited PPP MD5-CHAP authenticator support to the Remote Access Server, which may be useful for small user-count environments using non-Microsoft PPP dial-in clients. The support is local to a given RAS server. The MD5 account information is stored in the RAS server registry and is not integrated or synchronized with the User Manager account database. Integrated support will appear in a later release, at which time this limited support may be removed.

The local MD5-CHAP authenticator is enabled by creating the MD5 key below and adding "account" subkeys of the form [<domain>:]<user>, with subvalue "Pw" containing the account password. The ":" notation is used instead of "\" due to the syntax rules of registry keys. The 'domain:' is optional and typically omitted. MD5-CHAP will not be negotiated (old behavior) when the MD5 key does not exist (default). 

      HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\CHAP\MD5
      [<domain>:]<user>(REG_SZ)Pw

Encryption on Windows NT RAS Server

  • When you enable the "Require Microsoft encrypted authentication" selection, you can optionally enable "Require data encryption". This option uses the RC4 algorithm to encrypt data sent over the RAS session.


  • The "Require encrypted authentication" encryption setting authenticates clients that request the MS-CHAP, DES, or SPAP authentication methods.


  • The "Allow any authentication including clear text" encryption setting authenticates clients using any of the authentication methods requested by the client.


Encryption on the Windows NT RAS Client

The Windows NT RAS client supports all authentication standards supported by the Windows NT RAS server except SPAP. Additionally, the Windows NT RAS client supports the RSA MD5-CHAP encryption standard.

By supporting RSA MD5, Windows NT PPP clients are able to connect to almost all 3rd Party PPP Servers. The Windows NT RAS server does not support RSA MD5 because this method requires a clear-text password at the server.

  • The "Accept any authentication including clear text" option permits the client to use any of the supported client authentication methods requested by the server.


  • The "Use clear text Terminal login only" option indicates the remote server uses a UNIX-style text mode login. When this option is selected, the client receives a Terminal window where login occurs. PAP is used as the authentication method if this option is enabled.


  • The "Require encrypted authentication" option is similar to the corresponding option for the Windows NT RAS server. For the RAS client, however, RSA MD5 may be used, but SPAP may not.


  • The "Accept only Microsoft encrypted authentication" option is also similar to the corresponding option for the Windows NT RAS server. This option permits the client to use only MS-CHAP.


Additional query words: prodnt 3.10 3.11 security Settings win95

Keywords : kbnetwork ntras ntsecurity
Version : WINDOWS:3.11,95; winnt:3.1,3.5,3.51,4.0; :3.1
Platform : WINDOWS winnt
Issue type :


Last Reviewed: October 27, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.