By default, Routing and Remote Access and Internet Authentication Service on Windows Server 2003 and on Windows 2000 do not support clients that use LAN Manager authentication with Microsoft Challenge Handshake Authentication Protocol version 1(MS-CHAP v1). Windows 2000-based clients and Windows XP-based clients do not use LAN Manager authentication with MS-CHAP v1 and do not experience this problem.
Method 1Change the remote access policy on your server to permit only MS-CHAP v2 authentication. Use this method only if all your dial-up clients or virtual private network (VPN) clients support MS-CHAP v2 authentication. To do this, follow these steps:
- Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
- Right-click the server name that you want to enable authentication protocols for, and then click Properties.
- On the Security tab, click Authentication Methods.
- In the Authentication Methods dialog box, click to select the Microsoft Encrypted Authentication Method version 2 (MS-CHAP v2) check box. Click to clear all the other check boxes, and then click OK two times.
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To permit LAN Manager authentication with MS-CHAP v1 for operating systems that are earlier than Windows 2000, change the following registry value to 1 on the authenticating server:
- Click Start, and then click Run.
- In the Open box, type regedit, and then click OK.
- Locate and then double-click the following registry key:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\Allow LM Authentication
- In the Value data box, type 1, and then click OK.
Note In Windows Server 2003, the default value is 0 (off). By default, Windows 2000 Server supports LAN Manager authentication. When you upgrade a computer that is running Windows 2000 Server to a member of the Windows Server 2003 family, the existing value for the Allow LM Authentication registry key is preserved.
- Microsoft Windows 95 with the Dial-up Networking 1.3 or 1.4 update installed
- Microsoft Windows 98 with the Dial-up Networking 1.4 update installed
- Microsoft Windows 98 Second Edition
- Microsoft Windows Millennium Edition
- Microsoft Windows NT 4.0 Service Pack 4 or later
- Microsoft Windows 2000
- Microsoft Windows XP
- Microsoft Windows Server 2003
ID do Artigo: 826157 - Última Revisão: 4 de jan de 2008 - Revisão: 1