CHAP Update for IAS (NT4.0 Radius Server) Authentication to Windows NT4.0 Domain Controllers

Microsoft Internet Authentication Service (IAS) does not natively support standard Challenge Handshake Authentication Protocol (CHAP) authentication against an NT 4.0 domain controller.

This behavior occurs because the CHAP specification requires passwords to be stored in "reversibly encrypted format" or in plain text format. Computers running Windows NT Server store user information in a database called the Security Accounts Manager (SAM). The user passwords that are stored in the SAM cannot be compromised, even if the internal file structures are discovered.

A user in a domain that uses CHAP creates a challenge response by combining the challenge sent by the Network Access Server (NAS) and the user's plain text password. Windows NT domain controllers cannot reproduce the plain text password from the value stored in the SAM database, and IAS cannot authenticate a CHAP request.

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

NOTE: This fix is not included in any Windows NT Service Pack, nor is it included in the IAS SP6 rollup fix. Before you install this fix, you must install the IAS SP6 rollup fix; for more information, see the following article in the Microsoft Knowledge Base:

How to Install the Fix

In order to use this fix, you must install this software on the IAS servers, both primary and backup domain controllers, so that authentication still operates, even if the primary domain controller is offline for any reason.

Before you install CHAP support on any domain controller, create an Emergency Repair Disk (ERD) for the domain controller. You can use the ERD to recover the server in the event of a problem with the CHAP support software.

To apply this fix on domain controllers, perform the following steps:

1. To install the fix, run the Iaspack.exe tool that is included with the fix.
2. Run Regedt32.
3. On the Window menu, click "HKEY_LOCAL_MACHINE on Local Machine".
4. Find the System\CurrentControlSet\Control\Lsa\MD5-CHAP key, and then double-click the Store Clear Text Passwords value.
5. In the DWORD Editor dialog box, change the data value from 0 to 1, and then click OK. Note that the REG_DWORD value is displayed as 0x1.
6. Quit Registry Editor.
7. Restart the domain controller.

Windows NT and CHAP Support

When you implement CHAP on a server, there are several inherent limitations; most occur because CHAP traps password changes to store them in the SAM.

• CHAP authentication does not go into effect until the domain controller is upgraded and users have changed their passwords. Users must change their passwords to store the reversibly encrypted passwords in the SAM database. If you are currently using a Beta version of the Microsoft CHAP software, users with a reversibly encrypted password do not need to change their password with this fix.
• Domain controllers that have CHAP support require about 100 bytes more RAM "per user" in the database.
• Because of the decrease in performance involved and additional steps required to configure this fix, Microsoft recommends using MSChap, which offers an enhanced level of security or standard PAP authentication.