Re: permanent removal of CHAP and SPAP keys from the RRAS registry sections

Malcolm Joosse ( (no email) )
Fri, 27 Feb 1998 09:56:01 +1100

Hello Janjic & List,
I had a problem with a device that was ment to work with MS-CHAP and PAP but
was only tested with RAS not RRAS. I found this device ( Banksia Webramp M3)
would not authenticate and after much grief from Banksia who said it should
work I decided to try some things out and doing the change below fixed my

Hope this fixes your problem.


PSS ID Number: Q172216
Article last modified on 09-03-1997



The information in this article applies to:

- Microsoft Windows NT Server version 4.0
- Microsoft Routing and Remote Access Service Update for Windows NT
Server 4.0


This article discusses the method for forcing a Routing and Remote Access
(RRAS) server for Windows NT 4.0 to authenticate RAS clients using PAP
instead of CHAP, SPAP, or MS-CHAP. This may be necessary, depending on your
RAS clients or some third-party authentication solutions.


If your RRAS server is configured to "Allow any authentication including
clear text," a RAS client is able to connect with PAP, SPAP, CHAP, or MS-
CHAP depending on what the client supports. Normally, a Microsoft RAS
client will attempt to connect with CHAP or MS-CHAP, if that is valid for
the RAS server to which it is connecting.

To force a RAS client to use PAP, you must delete the SPAP and CHAP
registry keys from your RAS Server using the following steps:

WARNING: Using Registry Editor incorrectly can cause serious, system-wide
problems that may require you to reinstall Windows NT to correct them.
Microsoft cannot guarantee that any problems resulting from the use of
Registry Editor can be solved. Use this tool at your own risk.

1. Start Registry Editor (Regedt32.exe).

2. Go to the following subkey:


3. Click SPAP, click Edit, and click Delete.

4. Click Yes to confirm the deletion.

5. Click CHAP, click Edit, and click Delete.

6. Click Yes to confirm the deletion.

7. Close Registry Editor and stop and restart the Routing and Remote
Access Service.

NOTE: This will not work on normal Windows NT RAS servers, only Windows NT
4.0 RAS servers that have Routing and Remote Access installed. If you
delete these registry keys on a normal RAS server, the RAS services will
fail to start after you restart.

The following two scenarios require the above steps to force RAS clients to
use PAP authentication:

- You are using a PPP client that can only use PAP, but does not notify
the RAS server that it needs to use PAP during the LCP negotiation.


- You are using the new Radius client included in the Routing and Remote
Access Service Update. Many Radius servers do not accept the attribute
60 CHAP Challenge that the Radius Client sends to the Radius server when
authenticating a RAS client using CHAP. This is a valid attribute
according to RFC 2058: "Remote Authentication Dial In User Service
(RADIUS)" however, many older Radius servers cannot handle this newer

For additional information, please see the following article(s) in the
Microsoft Knowledge Base:

TITLE : Remote Access Services Authentication Summary
Keywords : nthowto ntnetserv ntrouter NTSrv kbnetwork
Version : WinNT:4.0
Platform : winnt
Issue type : kbhowto kbinfo
Solution Type : kbworkaround
Copyright Microsoft Corporation 1997.

-----Original Message-----
From: <>
To: <>
Date: Thursday, 26 February 1998 10:22
Subject: permanent removal of CHAP and SPAP keys from the RRAS registry

>Where should I delete CHAP and SPAP entries in NT RRAS configuration files,
>for the change to be permananet. I found no .ini file.
>Predrag Janjic
>Networking Department
>SIMT d.o.o. - Skopje
> ----------------------------------------------------------
> NTISP Mailing List