Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)

The Windows Server 2003 family supports MS-CHAP v2, which provides mutual authentication, the generation of stronger initial data encryption keys for Microsoft Point-to-Point Encryption (MPPE), and different encryption keys for sent and received data. To minimize the risk of password compromise during a password change, support for older methods of the MS-CHAP password change are not supported.

Because MS-CHAP v2 is more secure than MS-CHAP, it is offered before MS-CHAP (if enabled) for all connections.

MS-CHAP v2 is supported by computers running Windows XP, Windows 2000, Windows 98, Windows Millennium Edition, and Windows NT version 4.0. Computers running Windows 95 support MS-CHAP v2 only for VPN connections, not for dial-up connections.

To configure a connection for MS-CHAP v2, see Configure identity authentication and data encryption settings.


  • MS-CHAP v2 is a mutual authentication protocol, which means that both the client and the server prove that they have knowledge of the user's password. First, the remote access server asks the remote access client for proof by sending a challenge to the client. Then the remote access client asks the remote access server for proof by sending a challenge back to the server. If the server cannot prove that it has knowledge of the user's password by correctly answering the challenge from the client, the client terminates the connection. Without mutual authentication, a remote access client cannot establish a connection to an unauthorized remote access server.