Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.


Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is a password-based authentication protocol which is widely used as an authentication method in PPTP-based (Point to Point Tunneling Protocol) VPNs. Microsoft cautions that any organizations that use MS-CHAP v2 without encapsulation in conjunction with PPTP tunnels for VPN connectivity are running in a potentially nonsecure configuration. 


Microsoft suggests that organizations using MS-CHAP v2/PPTP implement the Protected Extensible Authentication Protocol (PEAP) in their networks. This mitigates this technique by encapsulating the MS-CHAP v2 authentication traffic in TLS.

Configure PPTP to use PEAP-MS-CHAP v2 for authentication


PEAP with MS-CHAP v2 as the client authentication method is one way to help secure VPN authentication. To enforce the use of PEAP on client platforms, Windows Routing and Remote Access Server (RRAS) servers should be configured to allow only connections that use PEAP authentication, and to refuse connections from clients that use MS-CHAP v2 or EAP-MS-CHAP v2. Administrators must check the corresponding authentication method options on the RRAS server and the Network Policy Server (NPS) server. 

Administrators must also confirm the following:

  • Server certificate validation is turned ON. (The default behavior is ON.)

  • Server Name validation is turned ON. (The default behavior is ON.) The correct server name must be specified.

  • The root certificate from which the Server certificate was issued is installed correctly on the client system’s store and is turned ON. (Always ON).

  • On Windows 7, Windows Vista, and Windows XP, the Do not prompt user to authorize new servers or trusted certification authorities check box in the PEAP properties window should be enabled. By default, it is disabled.

Configure the RRAS Server for the PEAP-MS-CHAP v2 authentication method

The procedure for configuring the PEAP-MS-CHAP v2 authentication method for the RRAS server and for turning off the less secure methods MS-CHAP v2 and EAP-MS-CHAP v2 is briefly described in the following steps. 

Configure the authentication method for RRAS

To do this, follow these steps:

  1. In the RRAS Server Management window, open the Server Properties dialog box, and then click the Security tab.

  2. Click Authentication Methods.

  3. Make sure that the EAP check box is selected and that the MS-CHAP v2 check box is not selected.

Configure connections for NPS

Configure the Network Policy Server (NPS) to only allow connections from clients that use the PEAP-MS-CHAP v2 authentication method. To configure NPS, follow these steps:

  1. Open the NPS UI, click Policies, and then click Network Policies.

  2. Right-click Connections to Microsoft Routing and Remote Access Server, and then select Properties.

  3. On the Properties UI, click the Constraints tab.

  4. In the left Constraints pane, select Authentication Methods, and then click to clear the check boxes for the MS-CHAP and MS-CHAP-v2 methods.

  5. Remove EAP-MS-CHAP v2 from the EAP Types list.

  6. Click Add, select PEAP authentication method, and then click OK.

    Note A valid Server certificate must be installed in the "Personal" store, and a valid root certificate must be installed in the "Trusted Root CA" store of the server before configuring the NPS connection.

  7. Click Edit, and then select EAP-MS-CHAP v2 as the authentication method.

Configure the RRAS Client for PEAP-MS-CHAP v2 authentication method

Windows VPN clients can be configured to use the PEAP-MS-CHAP v2 authentication method by selecting the corresponding method from the VPN connection properties UI and by installing the appropriate root certificate on the client system.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!