Enabling the Challenge Handshake Authentication Protocol (CHAP)

This article describes enabling the Challenge Handshake Authentication Protocol (CHAP) on a Microsoft Windows 2000-based remote access server.

To enable CHAP on a Windows 2000 remote access server, you must use the Routing and Remote Access snap-in and then select the appropriate setting on the 'Security' tab of the server properties.

For a stand-alone Windows 2000 remote access server, you must also enable Store password using reversible encryption for all users in the domain in the Local Computer Policy. To enable storage of passwords using reversible encryption, follow these steps:

1. Start the Microsoft Management Console (MMC) and add the Local Computer Policy snap-in.
2. In the Local Computer Policy MMC snap-in, go to:
   Local Computer Policy\Windows Settings\Security Settings\Account Policies\Password Policy
3. In the right side of the MMC, double-click Store password using reversible encryption for all users in the domain.
4. Click Enabled, and then click OK.

NOTE: Reversibly encrypted passwords are saved during the change-password process, so existing users must change their passwords to use CHAP. For a Windows 2000-based remote access server that is a member of a domain, you can select the Store password using reversible encryption for all users in the domain option on the domain server as described above.

Alternatively, you can enable reversible storage of passwords for individual users. By using the Directory Services snap-in, you can select this feature through the properties of an individual user. Again, note that reversibly encrypted passwords are saved during the change-password procedure, so existing users must change their passwords to use CHAP.