Microsoft KB Archive/289884

= CHAP and Reverse Encryption Password Policy =

Article ID: 289884

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q289884



SUMMARY
You cannot configure the Reverse Encryption password setting that is required for the Challenge Handshake Authentication Protocol (CHAP) at the Organizational Unit (OU) level.



MORE INFORMATION
This article is designed to clarify information that is located in the following reference materials:  The Windows 2000 Server Resource Kit in the following location:

Windows 2000 Server Resource Kit\Internetworking guide\Remote Access\Internet Authentication Service\IAS Authentication\Authentication Methods (Enabling CHAP)

 Internet Authentication Service for Windows 2000 White Paper. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

254172 Enabling the Challenge Handshake Authentication Protocol



Each document provides a step-by-step process to configure Windows 2000 to enable the CHAP authentication protocol; however, the statement about the Reverse Encryption password configuration that is included in each of these materials is incorrect. The following information is a correction of these materials.

CHAP Information Correction
In Windows 2000 domains, you can only set the Reverse Encryption password setting at the user level or at the domain level by using the domain Group Policy (GP):

User Level

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) Right-click the Users folder under the domain node, and then click Properties.
 * 3) Click the Account tab to find the setting.

Domain Level Through the Domain Group Policy
You cannot use the GP at the Organizational Unit (OU) level; Go to the following location in the domain GP to find the setting:

Windows Settings\Security Settings\Account Policies\Password Policy\Store password using reversible encryption for all users in the domain

You can only set all account policies at the domain level. If they are set at the OU level, they are ignored. For more details about this behavior, please refer to the following resources:  Windows 2000 Server Resource Kit, Chapter 22 on Group Policy, p 1238. 

259576 Group Policy Application Rules for Domain Controllers

Note: Reversibly-encrypted passwords are saved during the change password procedure; therefore, as an existing user, you have to change your password to use CHAP.</ul>

Keywords: kbenv kbinfo KB289884

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.