From owner-freebsd-bugs  Mon Jul 28 01:10:02 1997
Return-Path: <owner-freebsd-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id BAA17235
          for bugs-outgoing; Mon, 28 Jul 1997 01:10:02 -0700 (PDT)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id BAA17228;
          Mon, 28 Jul 1997 01:10:01 -0700 (PDT)
Date: Mon, 28 Jul 1997 01:10:01 -0700 (PDT)
Message-Id: <199707280810.BAA17228@hub.freebsd.org>
To: freebsd-bugs
Cc: 
From: "Ted Mittelstaedt" <tedm@toybox.placo.com>
Subject: Re: kern/4119: can't connect to Win NT 4.0 RAS using MS CHAP  and CBCP
Reply-To: "Ted Mittelstaedt" <tedm@toybox.placo.com>
Sender: owner-freebsd-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

The following reply was made to PR kern/4119; it has been noted by GNATS.

From: "Ted Mittelstaedt" <tedm@toybox.placo.com>
To: <freebsd-gnats-submit@freebsd.org>
Cc:  Subject: Re: kern/4119: can't connect to Win NT 4.0 RAS using MS CHAP  and CBCP
Date: Mon, 28 Jul 1997 01:03:43 -0700

 Further investigation on this,
 
 Microsoft's MS-CHAP is different from regular CHAP because they use MD4,
 rather than MD5 as standard CHAP does.
 
 MS has released preliminary standards-based MD5-CHAP support in Service
 Pack 3 for NT Server 4.0.  In addition to MD5-CHAP support, many security
 holes have been closed with this service pack, so it is unlikely that
 anyone running a Windows NT 4.0 server is going to resist applying this
 service pack.
 
 It is not enough to simply apply the service pack, a Registry Key must be
 altered in the NT Server to turn on MD5 support in CHAP.  This is explained
 in the service pack readme, as well as in the Microsoft Knowledgebase on
 their web site.
 
 Win95 Dialup Networking clients will use either the standards-based MD5 or
 MD4-based MS-CHAP to authenticate, so turning on MD5-CHAP support in NT
 Server with this registry key should not affect them.  In addition, Win95
 Dialup Networking clients by default don't require encrypted passwords, so
 it is unlikely that casual installation of 95 clients dialup networking
 will have turned on the checkbox for requiring encrypted passwords.  As a
 result, even if the 95 clients cannot authenticate to a patched NT Server
 using CHAP, they will simply switch over to PAP.