Microsoft KB Archive/926170

= The MS-CHAP version 1 authentication protocol has been deprecated in Windows Vista =

Article ID: 926170

Article Last Modified on 3/15/2007

-

APPLIES TO


 * Windows Vista Business
 * Windows Vista Enterprise
 * Windows Vista Home Basic
 * Windows Vista Home Premium
 * Windows Vista Ultimate
 * Windows Vista Enterprise 64-bit edition
 * Windows Vista Home Basic 64-bit edition
 * Windows Vista Home Premium 64-bit edition
 * Windows Vista Ultimate 64-bit edition
 * Windows Vista Business 64-bit edition

-



INTRODUCTION
The Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1) has been deprecated in Windows Vista. This article discusses this change and provides methods to work around it.



MORE INFORMATION
In Windows Vista, Microsoft has removed MS-CHAP v1 from the list of authentication protocols for dial-up connections, for broadband (PPPoE) connections, and for virtual private network (VPN) connections. This change has been made because MS-CHAP version 2 (MS-CHAP v2) provides better security than the following protocols do:
 * MS-CHAP v1
 * The Challenge Handshake Authentication Protocol (CHAP)

Note CHAP provides an equivalent level of security to MS-CHAP.
 * The Password Authentication Protocol (PAP)

Note PAP is less secure than MS-CHAP.

Microsoft Windows 2000 and later operating systems support MS-CHAP v2, CHAP and PAP. By default, both CHAP and MS-CHAP v2 are enabled for dial-up and PPPoE connections in Windows Vista.

If you used the Set up a connection or network wizard in Windows Vista to create a network connection, you can use the Network Sharing Center to enable or disable PAP, CHAP and MS-CHAP v2. To do this, follow these steps:
 * 1) Open the Network Sharing Center. To do this, click Startvistastartbutton.jpg], type network sharing center in the Start Search box, and then click Network Sharing Center in the Programs list.
 * 2) Click Manage network connections.
 * 3) In the Network Connections window, right-click the name of the connection that you want to change, and then click Properties.
 * 4) In the User Account Control dialog box, click Continue.
 * 5) In the Connection Properties dialog box, click to select the Security tab, click Advanced (Custom Settings), and then click Settings.
 * 6) In the Advanced Security Settings dialog box, click to either enable or disable the options for PAP, CHAP and MS-CHAP v2, and then click OK.

If you used the Connection Manager Administration Kit in Windows Vista to create a network connection, you can edit the .cms file for the connection to enable or disable PAP, CHAP and MS-CHAP v2. To do this, follow these steps:  Click Start, type notepad in the Start Search box, and then click Notepad in the Programs list. In the File menu, click Open. If the connection can be used by all users of the computer, type the following text in the File name box, and then click Open:

%USERPROFILE%\AppData\Roaming\Microsoft\network\connections\_hiddencm\MSCM-VPN\ .cms

If the connection can be used only by a single user, type the following in the File name box, and then click Open:

%USERPROFILE%\AppData\Roaming\Microsoft\network\connections\Cm\ .cms

Note In this step,  is the name of the connection. Use one of the following methods:  To enable PAP, locate the Require_PAP values in the [Server&EntryName] section and in the [Server&TunnelDUN] section, and set the values to 1. To disable PAP, set these values to 0. To enable CHAP, locate the Require_CHAPvalues in the [Server&EntryName] section and in the [Server&TunnelDUN] section, and set the values to 1. To disable CHAP, set these values to 0. To enable MS-CHAP v2, locate the Require_MSCHAP2 values in the [Server&EntryName] section and in the [Server&TunnelDUN] section, and set the values to 1. To disable MS-CHAP v2, set these values to 0.</li></ul> </li> In the File menu, click Save.</li></ol>

Keywords: kbtshoot kbexpertiseinter kbexpertiseadvanced kbinfo KB926170

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.