Remote Access Services Authentication Summary

ID: Q136634

The information in this article applies to:

Microsoft Windows NT operating system version 3.1
Microsoft Windows NT Advanced Server version 3.1
Microsoft Windows NT Workstation versions 3.5, 3.51, and 4.0
Microsoft Windows NT Server version 3.5, 3.51, and 4.0
Microsoft Windows for Workgroups version 3.11
Microsoft Windows 95

SUMMARY

Windows NT Remote Access Services (RAS) supports several authentication and encryption methods. This article describes the these methods and provides examples of remote access clients that use them.

MORE INFORMATION

Windows NT RAS supports both the Password Authentication Protocol (PAP) and the Challenge-Handshake Authentication protocol (CHAP).

PAP

PAP uses clear text (unencrypted) password authentication. It is supported by the Windows NT RAS server for interoperability with 3rd party PPP clients. NetManage Chameleon and Trumpet Winsock are 3rd Party PPP clients that use PAP.

CHAP

CHAP requires a challenge response with encryption on the response. Windows NT RAS server supports the following encryption algorithms in conjunction with CHAP authentication:

   RSA MD4 (or MS-CHAP)

   MS-CHAP is Microsoft's version of the RSA MD4 standard. This is the most
   secure encryption algorithm supported by Windows NT. MS-CHAP corresponds
   to the "Require Microsoft encrypted authentication" encryption setting
   for the RAS server. Both Windows NT and Windows 95 RAS clients will
   negotiate a PPP connection to a Windows NT RAS server using MS-CHAP as
   the encryption algorithm.

   DES

   DES is the encryption algorithm used by down-level Microsoft RAS clients
   such as Windows for Workgroups 3.11 RAS and RAS 1.1a. DES is supported
   by Windows NT for backward compatibility with down-level RAS clients.

   SPAP

   SPAP is Shiva's Password Authentication Protocol. Windows NT RAS server
   supports SPAP to allow dialin by Shiva clients. Unlike PAP, SPAP does
   send encrypted passwords over the wire as opposed to clear-text
   passwords.

   MD5

   Service Pack 3 provides limited PPP MD5-CHAP authenticator support to
   the Remote Access Server, which may be useful for small user-count
   environments using non-Microsoft PPP dial-in clients. The support is
   local to a given RAS server. The MD5 account information is stored in
   the RAS server registry and is not integrated or synchronized with
   the User Manager account database. Integrated support will appear in
   a later release, at which time this limited support may be removed.

   The local MD5-CHAP authenticator is enabled by creating the MD5 key
   below and adding "account" subkeys of the form [<domain>:]<user>,
   with subvalue "Pw" containing the account password. The ":" notation
   is used instead of "\" due to the syntax rules of registry keys. The
   'domain:' is optional and typically omitted. MD5-CHAP will not be
   negotiated (old behavior) when the MD5 key does not exist (default).

      HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\CHAP\MD5
      [<domain>:]<user>(REG_SZ)Pw

Encryption on Windows NT RAS Server

When you enable the "Require Microsoft encrypted authentication" selection, you can optionally enable "Require data encryption". This option uses the RC4 algorithm to encrypt data sent over the RAS session.
The "Require encrypted authentication" encryption setting authenticates clients that request the MS-CHAP, DES, or SPAP authentication methods.
The "Allow any authentication including clear text" encryption setting authenticates clients using any of the authentication methods requested by the client.

Encryption on the Windows NT RAS Client

The Windows NT RAS client supports all authentication standards supported by the Windows NT RAS server except SPAP. Additionally, the Windows NT RAS client supports the RSA MD5-CHAP encryption standard.

By supporting RSA MD5, Windows NT PPP clients are able to connect to almost all 3rd Party PPP Servers. The Windows NT RAS server does not support RSA MD5 because this method requires a clear-text password at the server.

The "Accept any authentication including clear text" option permits the client to use any of the supported client authentication methods requested by the server.
The "Use clear text Terminal login only" option indicates the remote server uses a UNIX-style text mode login. When this option is selected, the client receives a Terminal window where login occurs. PAP is used as the authentication method if this option is enabled.
The "Require encrypted authentication" option is similar to the corresponding option for the Windows NT RAS server. For the RAS client, however, RSA MD5 may be used, but SPAP may not.
The "Accept only Microsoft encrypted authentication" option is also similar to the corresponding option for the Windows NT RAS server. This option permits the client to use only MS-CHAP.

Additional query words: prodnt 3.10 3.50 3.51 3.11 4.00 security Settings win95

Keywords          : kbnetwork ntras ntsecurity 
Version           : WinNT:3.1,3.5,3.51,4.0;Windows:3.11,95
Platform          : WINDOWS

Last Reviewed: May 2, 1998