Internet Authentication Service Cannot Authenticate to Windows NT Domain Using CHAP

ID: Q198796


The information in this article applies to:

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SYMPTOMS

When you are authenticated by a Windows NT domain using Microsoft Internet Authentication Service (IAS), you cannot be authenticated using Challenge Handshake Authentication Protocol (CHAP).


CAUSE

This behavior occurs because the CHAP specification requires passwords to be stored in "reversibly encrypted format" or in plain-text format.

Computers running Windows NT Server store user information in a database called the Security Accounts Manager (SAM). The user passwords stored in the SAM cannot be compromised, even if the internal file structures are discovered. A user in a domain that uses CHAP creates a challenge response by combining the challenge sent by the Network Access Server (NAS) and the user's plain-text password. Windows NT domain controllers cannot reproduce the plain-text password from the value stored in the SAM database, and IAS cannot authenticate a CHAP request.

For additional information, please refer to the following Request for Comments (RFC) document: RFC 1994, section 2.2. For information about obtaining RFC documents from the Internet, please see the following article in the Microsoft Knowledge Base:

Q185262 How to Obtain Request for Comments Documents from the Internet


RESOLUTION

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

To work around this problem, use the appropriate method:

Important Note About Windows NT and CHAP Support

The following limitations are inherent when you implement CHAP on a server. Most occur because CHAP traps password changes to store them in the SAM.


STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.

Additional query words: MS-CHAP


Keywords          : 
Version           : winnt:4.0
Platform          : winnt 
Issue type        : kbprb 

Last Reviewed: June 16, 1999