NPS: LAN Manager Authentication

Applies To: Windows Server 2008, Windows Server 2008 R2

Although the use of Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) or LAN Manager authentication is not recommended for security reasons, you can enable LAN Manager authentication by using this registry setting to support older Microsoft Windows operating systems on your network.

Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy

By default, MS-CHAP for Windows Server 2008 does not support LAN Manager authentication.

Although the use of MS-CHAP or LAN Manager authentication is not recommended for security reasons, you might need to deploy one or both of these authentication methods to support legacy clients. If you deploy MS-CHAP with change password capability enabled in Internet Authentication Service (IAS), you must also deploy LAN Manager authentication.

To enable LAN Manager authentication

If you want to enable the use of LAN Manager authentication with MS-CHAP for older Windows operating systems such as Windows NT 3.5 and Windows 95, you must set Allow LM Authentication to 1 on the authenticating server.

To disable LAN Manager authentication

LAN Manager authentication is disabled by default. However, if you have previously enabled it and want to disable it again, set Allow LM Authentication to 0.