leederbyshire.com  Mobile web applications for Microsoft Exchange Server.

Adding no captcha reCAPTCHA Validation To Your Outlook Web App Forms Based Authentication Logon Page

In this article, I will describe how to add the new no-captcha recaptcha widget to your Outlook Web App 2010 Forms-based Authentication page. I am not entirely sure that it makes it any more secure, but many people are nevertheless interested in doing it, so here goes...

If you want to try it yourself, you'll need to go to the reCAPTCHA site, and get a Public key and a Private key for your web site. These will be used in the code that we add to the FBA logon page. I am not sure if older keys (generated for the original version of recaptcha) are still compatible. My first experiment with this suggests that they might not be. Remember when you create the key that you must use the public name for your OWA site, and then use that name in your URL when doing your testing. You can't generate a key for one server name, and then use a different one in your URL - recaptcha will complain.

ReCAPTCHA validates user input by posting it to the Google reCAPTCHA validator. We need to create an XMLHTTPRequest requester (using JavaScript) to POST the user input to Google. The first problem I encountered was that XMLHTTPRequest refuses to POST data to a different site other than the one you've loaded the current page from. This, apparently, is thanks to a security policy called the Same Origin Policy. This means we need to create an additional page on our own server to act as a proxy, and do the POSTing for us. This extra page returns a success or fail code to the FBA page, telling it whether to proceed with the logon, or not. It turns out that this has the added benefit of us not having to put our private key in the source for the FBA page (which would make it no longer really private).

So, first we create this additional 'proxy' page on our server. I put it in my C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\auth folder (along with the existing FBA files). I called it Recaptcha.aspx, and it has the following contents (created in Notepad). Note that you should use your own reCAPTCHA PRIVATE key where it says "6Le8H...".

<% @ Page AspCompat=True Language = "VB" %>
' Put your own private key in the next line
Dim strPrivateKey As String = "6Le8H....."
Dim strResponse = Request("response")
Dim objWinHTTP As Object
objWinHTTP = Server.CreateObject("WinHTTP.WinHTTPRequest.5.1")
objWinHTTP.Open("POST", "https://www.google.com/recaptcha/api/siteverify", False)
objWinHTTP.SetRequestHeader("Content-type", "application/x-www-form-urlencoded")
Dim strData As String = "secret=" & strPrivateKey & _
  "&response=" & strResponse
Dim strResponseText = objWinHTTP.ResponseText

Next, make a backup of the logon.aspx file in the same folder, because we now need to open, and amend, it using Notepad. First, find the <form> tag by searching (using CTRL-F) for the text "<form". When you find it, change its action attribute to an empty string, like this (I'm only showing the first part of the line):

<form action="" method="POST" name="logonForm" ENCTYPE=

Then, search for the text basicExplanationContent. You should find it in a block like this:

                <td><%=basicExplanationContent %></td>
            <% } %>
<% } %>

Immediately after that last line, insert the following code. Again, note that instead of 6Le8H..., you should insert your own reCAPTCHA PUBLIC key:

<script type="text/javascript">
function myClkLgn()
  var oReq = new XMLHttpRequest();
  var sResponse = document.getElementById("g-recaptcha-response").value;
  var sData = "response=" + sResponse;
  oReq.open("GET", "/owa/auth/recaptcha.aspx?" + sData, false);
  if (oReq.responseText.indexOf("true") != -1)
    document.forms[0].action = "/owa/auth.owa";
    alert("Invalid captcha response");
<script src="https://www.google.com/recaptcha/api.js" async defer></script>
<div class="g-recaptcha" data-sitekey="6Le8H....."></div>

Nearly there, now. Search for the text "clkLgn". You'll find it on a line that ends like this:

(Strings.IDs.LogOn) %>" onclick="clkLgn()"

Change it to read

(Strings.IDs.LogOn) %>" onclick="myClkLgn()"

so that it calls our added code (above) when the user submits the form. Save the file, close Notepad, and that should be it. Your FBA logon page should now look like this:


Outlook Shared Folder With Nexus
Copyright © 2018 Lee Derbyshire. All rights reserved.