Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, July 20, 2012 6:07 PM
I have a Windows 2008 R2 Domain Controller that I installed NPS. I have configured it to accept RADIUS requests and I can get it to accept RADIUS requests from clients using PAP authentication but not CHAP. The Reason code is 19 which means that I need to check “store password using reversible encryption” in the AD user account I am using. I was able to duplicate the error in my test domain and if I do check reversible encryption for the user account, the authentication request using CHAP is successful. However, even after checking the reversible encryption in the production domain, CHAP authentication still fails with reason code 19.
Any ideas why this is happening? Besides the NPS log file, is there any of place I can look to troubleshoot the problem? I didn't see anything in the event logs.
Steve
All replies (4)
Monday, July 23, 2012 9:15 AM ✅Answered
Hi,
Thanks for your post.
If you use the Challenge Handshake Authentication Protocol (CHAP) for authentication, then you must set the value for Store password using reversible encryption for all users in the domain to Enabled. Location is list as below, and by default is disabled.
GPO_name\Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\
For more detailed information, you may refer to the following article.
Account Policy Settings
http://technet.microsoft.com/de-de/library/cc757692(v=ws.10).aspx
NPS Reason Codes 0 Through 37
http://technet.microsoft.com/pt-pt/library/dd197464(v=ws.10)
Best Regards,
Aiden
Aiden Cao
TechNet Community Support
Friday, July 20, 2012 6:38 PM
I think I found the problem. Our default domain policy has “store password using reversible encryption” set to disabled so it would be overwriting any setting I check in the user account.
Steve
Friday, July 20, 2012 7:17 PM
As a followup, I discovered that it is set to disabled in my default domain policy in my test domain as well. Still not sure.
Steve
Friday, May 22, 2015 6:28 PM | 1 vote
This is mostly for anyone that finds this page googling:
Once you enable reversible encryption on an account, you have to reset the password so that the new password is reversible.