Storage Gateway - CHAP - Authentication Failure to Target


EC2 Windows instance. Volume Storage Gateway. iSCSI connects fine without CHAP. (Image of successful connection provided.) Enter image description here

When trying CHAP, I keep getting 'Authentication Failure' to target. (Error image provided.)

On the target (SG), CHAP is set with the initiator ID from the EC2 instance plus the EC2's initiator secret, as well as a target secret.

On the initiator (EC2), the target name is listed under Targets and Target Portals.

Enter image description here Enter image description here Enter image description here

I did this last week successfully in a test run in another environment. It seems simple enough to enter iSCSI settings.

asked a year ago299 views
2 Answers
Accepted Answer


With the CHAP configuration set for the Volume on the Storage Gateway console, please try the following steps to successfully connect to your volume using CHAP Authentication from a Windows client -

  1. Open the iSCSI Initiator Properties

  2. Choose the 'Configuration' tab:

    a. Click on 'CHAP'.

    b. Enter the 'Target secret' you had configured on the Storage Gateway console here. This is the secret key that the initiator (the Windows client) uses to authenticate the target (the storage volume).

    c. Choose OK.

  3. Now, choose the 'Discovery' tab:

    a. Click on Discover Portal

    b. Enter the IP address of your Volume Gateway. Let the port be set to the default value: 3260.

    c. Click on OK.

  4. Move to the 'Targets' tab:

    a. You should now find your Volume listed as a target with the Status: Inactive

    b. Select the target you want to connect to, and click on Connect

  5. In the 'Connect To Target' dialog box that opens, select 'Advanced':

    a. The 'Advanced Settings' dialog box appears. Here, select the checkbox next to 'Enable CHAP log on'

    b. In the 'Target secret:' field, enter the 'Initiator secret' you specified for this initiator on the Storage Gateway console. This value is the secret key that the initiator (the Windows client) must know to participate in CHAP with the target.

    c. Select the checkbox next to 'Perform mutual authentication'

    d. Click OK

    e. Click on OK again in the 'Connect To Target' dialog box.

  6. With the right secret key values entered, the status of the target should now flip to 'Connected'.

For more information, please see -

I hope this helps!

answered a year ago

Hi Shwetha!

Thank you for spelling it out.

The clincher for me was 5b, " In the 'Target secret:' field, enter the 'Initiator secret'". Rather misleading of them!

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions