Frequently Asked Question:

How to make a Macintosh PPP connection to Windows NT RAS

1. Background

2. PAP Authentication ("clear text")

3. Macintosh Setup

4. Other Authentication Protocols (MS-CHAP, CHAP)

5. Accessing the Windows Network

6. Limitations (Accessing Macintosh volumes)

7. Callback to a NT RAS Server

1. Background

Many companies (and some ISP's) are using the Windows NT RAS server to provide remote access to their networks and to the Internet.

A common problem occurs when the NT RAS (Remote Access Service) is set to a non-standard type of PPP authentication, called MS-CHAP.

The RAS server can negotiate standard CHAP authentication with some changes to the Windows NT registry, see below.

2. PAP Authentication ("clear text")

The easiest solution is to set the NT RAS server to use PAP authentication, which is supported by most PPP software (Macintosh).

Directions to make this change in the NT RAS server:

  1. Go to Control Panel.
  2. Double-click the Network icon.
  3. Scroll in box under Installed Network Software and select Remote Access Service, then click on the Configure button.
  4. In the Remote Access Setup window, click the Network... button.
  5. You are now at the Network Configuration window where the change is made.
  6. Under Encryption Settings: select "Allow any authentication including clear text".

3. Macintosh Setup

Note: This assumes "clear text" has been enabled on the RAS server

The two most common PPP programs are Open Transport/PPP (OT/PPP) and FreePPP.

OT/PPP Setup:

  1. In the TCP/IP control panel, select both "Connect via PPP" and "Configure Using PPP server". Enter one or more DNS server IP addresses.

    2. Note: Do not select "Configure Using DHCP server"

  2. In the PPP control panel, enter your NT domain username and password.

    3. Note: You may have to enter "domain\username" instead of "username"

    Select the "Options..."; button, then the "Protocol" tab:

    • "Allow error correction and compression in modem" Yes
    • "Use TCP header compression" Yes
    • "Connect to a command-line host" No

FreePPP Setup:

Enter the NT domain username and password in the Authentication dialog. See note above.

4. Other Authentication Protocols (MS-CHAP, CHAP)

If you are unable to have the NT RAS server set to "clear text", then there are other options:

ARA 3.1 client, included with Mac OS 8.5 (shipping October 1998), will support MS-CHAP and "PPP IPCP Extensions for Name Server Addresses" (RFC 1877). This will solve most compatibility problems with Windows NT RAS.

ARA 3.1 replaces OT/PPP, as well as earlier versions of ARA client.

There is a PPTP client for Macintosh called TunnelBuilder for Mac Remote, sold by NTS, which is capable of MS-CHAP authentication ("Require Microsoft encrypted authentication"). It works very well as a PPP client. There is a time-limited evaluation version available.

TunnelBuilder is not capable of callback, if that has been enabled on the RAS server.

The IntragyAccess package, sold by Ascend, includes the Ascend PPP dialer which, according to the data sheet, supports PAP, CHAP and MS-CHAP authentication.

Alternatively, as of NT 4.0, Service Pack 2, the RAS is capable of using standard CHAP authentication (supported by most PPP software).

Here are the instructions from the most recent NT 4.0 service pack:

3.4 Remote Access Service PPP CHAP MD5 Authenticator Support

------------------------------------------------------------

Service Pack 3 provides limited PPP MD5-CHAP authenticator support to the Remote Access Server, which may be useful for small user-count environments using non-Microsoft PPP dial-in clients. The support is local to a given RAS server. The MD5 account information is stored in the RAS server registry and is not integrated or synchronized with the User Manager account database. Integrated support will appear in a later release, at which time this limited support may be removed.

The local MD5-CHAP authenticator is enabled by creating the MD5 key below and adding "account" subkeys of the form [<domain>:]<user>, with subvalue "Pw" containing the account password. The ":" notation is used instead of "\" due to the syntax rules of registry keys. The 'domain:' is optional and typically omitted. MD5-CHAP will not be negotiated (old behavior) when the MD5 key does not exist (default).

HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\CHAP\MD5 [<domain>:]<user> (REG_SZ)Pw

Note: These user accounts cannot be managed with the standard Windows NT utilities.

5. Accessing the Windows Network

One can access Windows NT/95 shared volumes over the RAS link using DAVE, sold by Thursby.

DAVE Tips:

To enable browsing of the Windows "Network Neighborhood" (using the Chooser) one has to enter the IP address for the primary WINS server (and secondary if available) in the NetBIOS control panel.

In the Administrator Options, change the NetBIOS mode to P.

If your company is using Microsoft Exchange Server for email, then the full Macintosh Outlook client is available for download and it will work over the RAS connection.

Note that SP1_55MA.EXE is 7MB smaller than SP1_55MA.hqx, and can be unzipped on the Macintosh using ZipIt.

DAVE is not required for use of the Exchange client.

Exchange Tips:

One common problem is solved by entering the name of the Exchange server in lowercase in the Exchange client setup.

If the Exchange setup isn't working, ensure that you are able to ping the Exchange server, by host name. A good ping utility is Mac TCP Watcher.

If your company is using MS Proxy Server then there are some special considerations to be aware of.

6. Limitations

Currently, NT RAS does not support the AppleTalk protocol.

This means that one cannot access Macintosh volumes shared by the Windows NT "Services for Macintosh" (except by setting up a separate ARA server, or a PPP server capable of ATCP).

The Windows NT "Services for Macintosh" do not support AFP over TCP/IP (e.g. AppleShare IP).

These limitations are fixed in NT Server 5.0 (currently in beta).

7. Callback to a NT RAS Server

The callback feature of the NT RAS uses a LCP extension called CBCP (CallBack Control Protocol). It's not clear if this Microsoft implementation differs from the current IETF Internet Draft. There is also mention of callback in RFC 1570, "PPP LCP Extensions".

Note that this lack of CBCP cannot be made up at the scripting level; the capability has to be added to the PPP client.

AccessPPP is a freeware Macintosh PPP client which has callback support for Windows NT RAS server. It can only use PAP authentication (clear text). There are some reports of problems getting AccessPPP to work.

References

Remote Access Services Authentication Summary

The MacWindows site is a great source of information about Macintosh/Windows integration.

Also see the DOS/Windows Compatibility page by Richard Long.

There is a Macintosh section in the Windows NT FAQ.

The Mac2NT site is a good resource for anyone needing to work with both Macintosh and Windows 95/NT systems.

Boyd Waters has an excellent site on Windows NT and Macintosh Integration.

Author: Richard Birchall

Updated: October 6, 1998

Please send comments and corrections to aa158@valleynet.on.ca

Page hosted by ValleyNet!

©2009 CGNET Services International.All Rights Reserved.Phone: 650.833.6000E-mail: info@cgnet.com