Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
Microsoft created MS-CHAP to authenticate remote Windows-based workstations, integrating the functionality to which LAN-based users are accustomed with the hashing algorithms used on Windows networks. Like CHAP, MS-CHAP uses a challenge-response mechanism to authenticate connections without sending any passwords.
MS-CHAP uses the Message Digest 4 (MD4) hashing algorithm and the Data Encryption Standard (DES) encryption algorithm to generate the challenge and the response. MS-CHAP also provides mechanisms for reporting connection errors and for changing the user's password. The response packet is in a format designed to work with networking products in Windows 95, Windows 98, Windows Millennium Edition, Windows NT, Windows 2000, Windows XP, and the Windows Server 2003 family.
To configure a connection for MS-CHAP, see Configure identity authentication and data encryption settings.
Notes
If you are configuring a connection to a server running Windows 95, you must use a specific version of MS-CHAP. To enable this older version of MS-CHAP, see Configure identity authentication and data encryption settings.
Unlike CHAP, MS-CHAP does not require that the user's password be stored in a reversibly encrypted form.
During the MS-CHAP authentication process, shared secret encryption keys for Microsoft Point-to-Point Encryption (MPPE) are generated.