Article ID: 197506 - View products that this article applies to.
This article was previously published under Q197506
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Microsoft Internet Authentication Service (IAS) does not natively support standard Challenge Handshake Authentication Protocol (CHAP) authentication against an NT 4.0 domain controller.
This behavior occurs because the CHAP specification requires passwords to be stored in "reversibly encrypted format" or in plain text format. Computers running Windows NT Server store user information in a database called the Security Accounts Manager (SAM). The user passwords that are stored in the SAM cannot be compromised, even if the internal file structures are discovered.
A user in a domain that uses CHAP creates a challenge response by combining the challenge sent by the Network Access Server (NAS) and the user's plain text password. Windows NT domain controllers cannot reproduce the plain text password from the value stored in the SAM database, and IAS cannot authenticate a CHAP request.
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that are experiencing this specific problem.
To resolve this problem, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=supportNote In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
NOTE: This fix is not included in any Windows NT Service Pack, nor is it included in the IAS SP6 rollup fix. Before you install this fix, you must install the IAS SP6 rollup fix; for more information, see the following article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/239864/EN-US/ )Availability of Internet Authentication Service SP6 Rollup Hotfix
How to Install the FixIn order to use this fix, you must install this software on the IAS servers, both primary and backup domain controllers, so that authentication still operates, even if the primary domain controller is offline for any reason.
Before you install CHAP support on any domain controller, create an Emergency Repair Disk (ERD) for the domain controller. You can use the ERD to recover the server in the event of a problem with the CHAP support software.
To apply this fix on domain controllers, perform the following steps:
Windows NT and CHAP SupportWhen you implement CHAP on a server, there are several inherent limitations; most occur because CHAP traps password changes to store them in the SAM.
Article ID: 197506 - Last Review: October 19, 2005 - Revision: 2.5