Article ID: 926170
Article Last Modified on 3/15/2007
APPLIES TO
- Windows Vista Business
- Windows Vista Enterprise
- Windows Vista Home Basic
- Windows Vista Home Premium
- Windows Vista Ultimate
- Windows Vista Enterprise 64-bit edition
- Windows Vista Home Basic 64-bit edition
- Windows Vista Home Premium 64-bit edition
- Windows Vista Ultimate 64-bit edition
- Windows Vista Business 64-bit edition
INTRODUCTION
The Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1) has been deprecated in Windows Vista. This article discusses this change and provides methods to work around it.
MORE INFORMATION
In Windows Vista, Microsoft has removed MS-CHAP v1 from the list of authentication protocols for dial-up connections, for broadband (PPPoE) connections, and for virtual private network (VPN) connections. This change has been made because MS-CHAP version 2 (MS-CHAP v2) provides better security than the following protocols do:
- MS-CHAP v1
- The Challenge Handshake Authentication Protocol (CHAP)
Note CHAP provides an equivalent level of security to MS-CHAP.
- The Password Authentication Protocol (PAP)
Note PAP is less secure than MS-CHAP.
Microsoft Windows 2000 and later operating systems support MS-CHAP v2, CHAP and PAP. By default, both CHAP and MS-CHAP v2 are enabled for dial-up and PPPoE connections in Windows Vista.
If you used the Set up a connection or network wizard in Windows Vista to create a network connection, you can use the Network Sharing Center to enable or disable PAP, CHAP and MS-CHAP v2. To do this, follow these steps:
- Open the Network Sharing Center. To do this, click Start[[File:../gfx/vistastartbutton.jpg|[GRAPHIC: the Start button]]], type network sharing center in the Start Search box, and then click Network Sharing Center in the Programs list.
- Click Manage network connections.
- In the Network Connections window, right-click the name of the connection that you want to change, and then click Properties.
- In the User Account Control dialog box, click Continue.
- In the Connection Properties dialog box, click to select the Security tab, click Advanced (Custom Settings), and then click Settings.
- In the Advanced Security Settings dialog box, click to either enable or disable the options for PAP, CHAP and MS-CHAP v2, and then click OK.
If you used the Connection Manager Administration Kit in Windows Vista to create a network connection, you can edit the .cms file for the connection to enable or disable PAP, CHAP and MS-CHAP v2. To do this, follow these steps:
- Click Start[[File:../gfx/vistastartbutton.jpg|[GRAPHIC: the Start button]]], type notepad in the Start Search box, and then click Notepad in the Programs list.
- In the File menu, click Open.
- If the connection can be used by all users of the computer, type the following text in the File name box, and then click Open:
%USERPROFILE%\AppData\Roaming\Microsoft\network\connections\_hiddencm\MSCM-VPN\
ConnectionName
.cmsIf the connection can be used only by a single user, type the following in the File name box, and then click Open:
%USERPROFILE%\AppData\Roaming\Microsoft\network\connections\Cm\
ConnectionName
.cmsConnectionName
is the name of the connection. - Use one of the following methods:
- To enable PAP, locate the Require_PAP values in the [Server&EntryName] section and in the [Server&TunnelDUN] section, and set the values to 1. To disable PAP, set these values to 0.
- To enable CHAP, locate the Require_CHAPvalues in the [Server&EntryName] section and in the [Server&TunnelDUN] section, and set the values to 1. To disable CHAP, set these values to 0.
- To enable MS-CHAP v2, locate the Require_MSCHAP2 values in the [Server&EntryName] section and in the [Server&TunnelDUN] section, and set the values to 1. To disable MS-CHAP v2, set these values to 0.
- In the File menu, click Save.
Keywords: kbtshoot kbexpertiseinter kbexpertiseadvanced kbinfo KB926170