Help and Support

Article ID: 289884 - Last Review: February 27, 2007 - Revision: 3.3

CHAP and Reverse Encryption Password Policy

View products that this article applies to.
This article was previously published under Q289884

On This Page

Expand all | Collapse all

SUMMARY

You cannot configure the Reverse Encryption password setting that is required for the Challenge Handshake Authentication Protocol (CHAP) at the Organizational Unit (OU) level.
Back to the top

MORE INFORMATION

This article is designed to clarify information that is located in the following reference materials:
  • The Windows 2000 Server Resource Kit in the following location:
    Windows 2000 Server Resource Kit\Internetworking guide\Remote Access\Internet Authentication Service\IAS Authentication\Authentication Methods (Enabling CHAP)
  • Internet Authentication Service for Windows 2000 White Paper.
  • For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
    254172  (http://support.microsoft.com/kb/254172/EN-US/ ) Enabling the Challenge Handshake Authentication Protocol
Each document provides a step-by-step process to configure Windows 2000 to enable the CHAP authentication protocol; however, the statement about the Reverse Encryption password configuration that is included in each of these materials is incorrect. The following information is a correction of these materials.
Back to the top

CHAP Information Correction

In Windows 2000 domains, you can only set the Reverse Encryption password setting at the user level or at the domain level by using the domain Group Policy (GP):

User Level

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click the Users folder under the domain node, and then click Properties.
  3. Click the Account tab to find the setting.

Domain Level Through the Domain Group Policy

You cannot use the GP at the Organizational Unit (OU) level; Go to the following location in the domain GP to find the setting:
Windows Settings\Security Settings\Account Policies\Password Policy\Store password using reversible encryption for all users in the domain
You can only set all account policies at the domain level. If they are set at the OU level, they are ignored. For more details about this behavior, please refer to the following resources:
  • Windows 2000 Server Resource Kit, Chapter 22 on Group Policy, p 1238.
  • 259576  (http://support.microsoft.com/kb/259576/EN-US/ ) Group Policy Application Rules for Domain Controllers
    Note: Reversibly-encrypted passwords are saved during the change password procedure; therefore, as an existing user, you have to change your password to use CHAP.
Back to the top
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
Back to the top
Keywords: 
kbenv kbinfo KB289884
Back to the top

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations

 

Related Support Centers