The MS-CHAP version 1 authentication protocol has been deprecated in Windows Vista

INTRODUCTION

The Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1) has been deprecated in Windows Vista. This article discusses this change and provides methods to work around it.

More Information

In Windows Vista, Microsoft has removed MS-CHAP v1 from the list of authentication protocols for dial-up connections, for broadband (PPPoE) connections, and for virtual private network (VPN) connections. This change has been made because MS-CHAP version 2 (MS-CHAP v2) provides better security than the following protocols do:
  • MS-CHAP v1
  • The Challenge Handshake Authentication Protocol (CHAP)

    Note CHAP provides an equivalent level of security to MS-CHAP.
  • The Password Authentication Protocol (PAP)

    Note PAP is less secure than MS-CHAP.
Microsoft Windows 2000 and later operating systems support MS-CHAP v2, CHAP and PAP. By default, both CHAP and MS-CHAP v2 are enabled for dial-up and PPPoE connections in Windows Vista.

If you used the Set up a connection or network wizard in Windows Vista to create a network connection, you can use the Network Sharing Center to enable or disable PAP, CHAP and MS-CHAP v2. To do this, follow these steps:
  1. Open the Network Sharing Center. To do this, click Startthe Start button , type network sharing center in the Start Search box, and then click Network Sharing Center in the Programs list.
  2. Click Manage network connections.
  3. In the Network Connections window, right-click the name of the connection that you want to change, and then click Properties.
  4. In the User Account Control dialog box, click Continue.
  5. In the Connection Properties dialog box, click to select the Security tab, click Advanced (Custom Settings), and then click Settings.
  6. In the Advanced Security Settings dialog box, click to either enable or disable the options for PAP, CHAP and MS-CHAP v2, and then click OK.
If you used the Connection Manager Administration Kit in Windows Vista to create a network connection, you can edit the .cms file for the connection to enable or disable PAP, CHAP and MS-CHAP v2. To do this, follow these steps:
  1. Click Startthe Start button , type notepad in the Start Search box, and then click Notepad in the Programs list.
  2. In the File menu, click Open.
  3. If the connection can be used by all users of the computer, type the following text in the File name box, and then click Open:
    %USERPROFILE%\AppData\Roaming\Microsoft\network\connections\_hiddencm\MSCM-VPN\ConnectionName.cms
    If the connection can be used only by a single user, type the following in the File name box, and then click Open:
    %USERPROFILE%\AppData\Roaming\Microsoft\network\connections\Cm\ConnectionName.cms
    Note In this step, ConnectionName is the name of the connection.
  4. Use one of the following methods:
    • To enable PAP, locate the Require_PAP values in the [Server&EntryName] section and in the [Server&TunnelDUN] section, and set the values to 1. To disable PAP, set these values to 0.
    • To enable CHAP, locate the Require_CHAPvalues in the [Server&EntryName] section and in the [Server&TunnelDUN] section, and set the values to 1. To disable CHAP, set these values to 0.
    • To enable MS-CHAP v2, locate the Require_MSCHAP2 values in the [Server&EntryName] section and in the [Server&TunnelDUN] section, and set the values to 1. To disable MS-CHAP v2, set these values to 0.
  5. In the File menu, click Save.
Properties

Article ID: 926170 - Last Review: Oct 22, 2008 - Revision: 1

Feedback