Internet Authentication Service Cannot Authenticate to Windows NT Domain Using CHAP
ID: Q198796
|
The information in this article applies to:
-
Microsoft Internet Authentication Service
-
Microsoft Windows NT Server version 4.0
IMPORTANT: This article contains information about editing the registry.
Before you edit the registry, make sure you understand how to restore it if
a problem occurs. For information about how to do this, view the "Restoring
the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help
topic in Regedt32.exe.
SYMPTOMS
When you are authenticated by a Windows NT domain using Microsoft Internet Authentication Service (IAS), you cannot be authenticated using Challenge Handshake Authentication Protocol (CHAP).
CAUSE
This behavior occurs because the CHAP specification requires passwords to be stored in "reversibly encrypted format" or in plain-text format.
Computers running Windows NT Server store user information in a database called the Security Accounts Manager (SAM). The user passwords stored in the SAM cannot be compromised, even if the internal file structures are discovered. A user in a domain that uses CHAP creates a challenge response by combining the challenge sent by the Network Access Server (NAS) and the user's plain-text password. Windows NT domain controllers cannot reproduce the plain-text password from the value stored in the SAM database, and IAS cannot authenticate a CHAP request.
For additional information, please refer to the following Request for Comments (RFC) document: RFC 1994, section 2.2. For information about obtaining RFC documents from the Internet, please see the following article in the Microsoft Knowledge Base:
Q185262 How to Obtain Request for Comments Documents from the Internet
RESOLUTION
WARNING: Using Registry Editor incorrectly can cause serious problems that
may require you to reinstall your operating system. Microsoft cannot
guarantee that problems resulting from the incorrect use of Registry Editor
can be solved. Use Registry Editor at your own risk.
For information about how to edit the registry, view the "Changing Keys and
Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete
Information in the Registry" and "Edit Registry Data" Help topics in
Regedt32.exe. Note that you should back up the registry before you edit it.
If you are running Windows NT, you should also update your Emergency
Repair Disk (ERD).
To work around this problem, use the appropriate method:
- Use Microsoft CHAP instead of CHAP.
Microsoft CHAP is an updated version of CHAP. It does not require that passwords be stored in reversibly encrypted or plain text format. To use Microsoft CHAP, your NAS hardware manufacturer must support it and Microsoft CHAP must be configured on your hardware. If your current hardware does not support Microsoft CHAP, please check with your hardware manufacturer for a firmware update that adds support for Microsoft CHAP authentication. If you are using Windows NT with Routing and Remote Access Service (RRAS) as your NAS device, you can enable Microsoft CHAP support.
For additional information, please see the following article in the Microsoft Knowledge Base:
Q219283 Using MS-CHAP with Radius Authentication
You can also refer to the following RFC for further information:
http://www.ietf.cnri.reston.va.us/rfc/rfc2433.txt
The third-party contact information included in this article is provided
to help you find the technical support you need. This contact information
is subject to change without notice. Microsoft in no way guarantees the
accuracy of this third-party contact information.
- Use PAP or SPAP.
Password Authentication Protocol (PAP) sends passwords in plain text between the remote client and the NAS computer. In most cases, this communication happens over a dial-up phone line. When the request reaches the NAS computer, the password is sent to the Microsoft Radius server using RSA-MD5 encryption. Although PAP is used by numerous Internet service providers, it is the least preferred method. Shiva Password
Authentication Protocol (SPAP), CHAP, or Microsoft CHAP is preferred for security reasons. If you are using Windows NT with RRAS as your NAS device, you can enable PAP support.
For additional information, please see the following article in the Microsoft Knowledge Base:
Q172216 How to Force Routing and Remote Access to Use PAP
SPAP is a Shiva proprietary standard but it can be used on other NAS hardware. SPAP is preferable to PAP, but it is not as secure as Microsoft CHAP.
- Apply the CHAP fix to all Windows NT 4.0 domain controllers.
Microsoft has a fix for Windows NT 4.0 domain controllers to support CHAP. Before you install CHAP support on any domain controller, create an Emergency Repair Disk (ERD) for the domain controller. You can use the ERD to recover the server in the event of a problem with the CHAP support software.
NOTE: You must install this software on both primary and backup domain controllers so that authentication still operates even if the primary domain controller is offline for any reason.
To apply the IAS security fix on domain controllers:
- Install the fix using the Iaspack.exe tool included with the fix.
- Run Regedt32.
- On the Window menu, click HKEY_LOCAL_MACHINE on Local Machine.
- Find the System\CurrentControlSet\Control\Lsa\MD5-CHAP key, and then double-click the Store Clear Text Passwords value.
- In the DWORD Editor dialog box, change the data value from 0 to 1. Click OK. Note that the REG_DWORD value is displayed as 0x1.
- Quit Registry Editor.
- Restart the domain controller.
Important Note About Windows NT and CHAP Support
The following limitations are inherent when you implement CHAP on a server. Most occur because CHAP traps password changes to store them in the SAM.
- CHAP authentication does not go into effect until the domain controller is upgraded and users have changed their password. Users must change their password to store the reversibly encrypted passwords in the SAM database. If you are currently using a Beta version of the Microsoft CHAP software, users with a reversibly encrypted password do not have to change their password with this fix.
- Domain controllers that have CHAP support require about 100 bytes more RAM per user in the database.
- Because of the decrease in performance involved and additional steps required to configure this fix, Microsoft recommends using one of the other protocols mentioned above.
If you need this fix, contact Microsoft Product Support Services and see the following article in the Microsoft Knowledge Base:
Q197506 IAS Incorrectly Validates User Accounts
STATUS
Microsoft has confirmed this to be a problem in the Microsoft products listed
at the beginning of this article.
Additional query words:
MS-CHAP
Keywords :
Version : winnt:4.0
Platform : winnt
Issue type : kbprb
Last Reviewed: June 16, 1999