Authentication Protocols

A first step in establishing a remote access connection is authenticating the user to the server. An authentication protocol is used here. Windows Server 2008 ships with five different authentication protocols all with varying compatibility and security levels.

Use the buttons below to navigate through the lesson


Password Authentication Protocol (PAP) is the most basic of all authentication protocols. It transmits all authentication details in clear text with no encryption. This makes this protocol vulnerable to hackers. Also client and server are unable to authenticate with each other. PAP should be disabled unless it is needed by down-level clients who only support PAP.

Shiva Password Authentication Protocol (SPAP) is a slightly more secure version of PAP that is used for talking to remote-access hardware devices made by Shiva (now owned by Intel). SPAP is included for backward compatibility but is rarely used.

Challenge Handshake Authentication Protocol (CHAP) is a lot more secure than PAP and SPAP because it doesn’t transmit the password in clear text. The server sends a challenge to the client which must decrypt it and return the correct response. This allows the server to verify the user’s credentials without sending them across an insecure link.

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). Microsoft has extended CHAP to use integrated Windows authentication. There are two versions of MS-CHAP: v1,v2. MS-CHAP v2 is more secure than MS-CHAP v1 but not all systems support MS-CHAP v2.

MS-CHAP v2 provides better security than MS-CHAP v1 because it doesn’t allow LAN manager passwords. In addition, MS-CHAP v2 provides two-way authentication so that both client and server can authenticate with each other. On the downside older clients either don’t support MS-CHAP v2 or will need an upgrade patch to use it.

Extensible Authentication Protocol (EAP). Using EAP a client-server pair can negotiate an authentication method. This allows for the use of different security methods such as certificates.  EAP is used in devices such as smart-card readers and finger-print readers because it can be configured to work with different security types.