Enabling 128-bit RAS Data Encryption.

A. Service Pack 3 (128 bit version) introduced the ability to use 128-bit RAS data encryption with a Windows NT 4.0 RAS server as opposed to the normal 40-bit encryption.

To enable this 128-bit encryption perform the following:

  1. Start the Network control panel applet (Start - Settings - Control Panel - Network)
  2. Select the services tab
  3. Select Remote Access Service and click Properties
  4. Click Network then Require Microsoft encrypted authentication
  5. Click Require data encryption and click OK
  6. Click continue and close the Network control panel applet
  7. Do not restart the computer at this point

It is now necessary to enable the 128-bit setting:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\COMPCP
  3. From the Edit menu select New - DWORD value
  4. Enter a name of ForceStrongEncryption and press Enter
  5. Double click the new value and set to 1. Click OK
  6. Close the registry editor
  7. Reboot the computer

After reboot is completed clients connecting via RAS or PPTP will have to authenticate using 128-bit key encryption. A number of event logs can be viewed using Event Viewer (Start - Programs - Administrative Tools - Event Viewer).

If a successful connection is made you will see the log:

Event ID: 20107
Source: RemoteAccess
Description: The user RAS connected to port COMx using strong encryption

If the connection was unsuccessful you will see entry

Event ID: 20077
Source: RemoteAccess
Description: An error occurred in the Point to Point Protocol module on port COMx. The remote computer does not support the required encryption type.

The client attempting connection would also receive a 629 error.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.