When using the Challenge Handshake Authentication Protocol (CHAP) with an iSCSI target, it can be a connection that is bi-directional (or "mutual"), which means that the initiator and target both do authentication. Alternatively, it can be a one-way connection which has only the target authenticating to the initiator.
For more information on using CHAP with FlashArray, please see What is iSCSI CHAP?.
For more general information on Windows Server iSCSI, please refer to this Microsoft documentation.
Configure CHAP on the Windows host:
For Windows Server 2008 R2:
Administrative Tools > iSCSI Initiator > Discovery > Advanced Enter inbound values when adding a target portal. If using a bi-directional (mutual) connection, use the General > Secret area in the iSCSI Initiator Properties dialog to specify a value.
For Windows Server 2012 and later:
Server Manager > Dashboard > Tools > iSCSI Initiator > Targets > Discovery > Advanced Enter inbound values when adding a target portal. If using a bi-directional (mutual) connection, use the Configuration > CHAP area in the iSCSI Initiator Properties dialog to specify a value.
As a best practice, you should not use a password for CHAP authentication that has hexadecimal characters.
Configure CHAP using PowerShell
Create a iSCSI connection to a target with one-way authentication.
Connect-IscsiTarget -NodeAddress iqn.1991-05.com.microsoft:rx-7-iscsitarget01-target -AuthenticationType ONEWAYCHAP -ChapUsername "username" -ChapSecret "123456789012345" -IsPersistent $True
Create a iSCSI connection to a target with bi-directional (mutual) authentication.
Connect-IscsiTarget -NodeAddress iqn.1991-05.com.microsoft:rx-7-iscsitarget01-target -AuthenticationType MUTUALCHAP -ChapUsername "username" -ChapSecret "123456789012345" -IsPersistent $True
Testing Windows Server iSCSI CHAP
These tests developed by Microsoft will allow you to test the connectivity and authentication of an iSCSI target.