leederbyshire.com  Mobile web applications for Microsoft Exchange Server.

Exchange 2010 OWA FBA Captcha

How To Add A Captcha Input To The Outlook Web Access 2010 Forms-Based Authentication Login Page

Back to Articles page

You can read an updated version of this article that uses Google's reCAPTCHA validator by clicking HERE

This article explains how to add a CAPTCHA image to the Exchange 2010 Outlook Web Access Forms-based Authentication logon page. Please note that I don't make any claims regarding the effectiveness of this particular solution (which is presented only as an academic example), or of CAPTCHA in general. Having said all that, if CAPTCHA is something that you want to try with your OWA, read on.

A typical CAPTCHA image.

I am using a freely available CAPTCHA script written by Jonathan Feaster, which is available for download from Archreality. This script uses JavaScript, and unlike some other solutions has the advantage of not requiring a second .aspx page to process the form input. The validation is done by the user's browser before the credentials are sent to the OWA server. Any CAPTCHA scripts which require a second page will not work with FBA, since there is no opportunity to insert anything between the logon page and the OWA GUI.

Extract the files to a suitable location on the server. There are two .js files, and a folder named cimg, which contains the captcha images to be displayed on the logon page. Place the entire extracted jcap folder in the C:\Program Files\Microsoft\Exchange Server\v14\ClientAccess\Owa\auth folder.

The extracted jcap files in the auth folder

Use Explorer to locate the logon.aspx file that creates the FBA logon page. This is inside the same auth folder that you just placed the jcap folder into. Before doing anything else, make a backup copy of the logon.aspx file. Right-click it, then select Copy, then right-click the folder, and then select Paste. This creates a copy of your logon.aspx file named 'logon - Copy.aspx'. If your modifications are unsuccessful, you will need to revert to this original file to restore FBA functionality. Open the logon.aspx using Notepad. I'm going to insert the image just above the 'Public Computer' radio button, so press F3 and search for the text rdoPblc. Assuming that you successfully found the text, insert the following just before the <tr> tag that precedes it:

  <script type="text/javascript" language="javascript" src="jcap/md5.js"></script>
  <script type="text/javascript" language="javascript" src="jcap/jcap.js"></script>
  <script type="text/javascript" language="javascript">
  function doJcap()
  if (jcap() == true)
  {document.forms[0].action = "/owa/auth.owa"; return true;}
  return false
  <tr><td colspan="2" align="center">

  Enter the code as it is shown below

  <script language="JavaScript">sjcap();</script>
  <noscript>This resource requires a JavaScript enabled browser</noscript>

The modified file should look something like this:

The amended contents of logon.aspx in Notepad

Press CTRL-HOME to go back to the top of the file, and then press CTRL-F, and search for the text <form (without a closing angled bracket). Assuming that you successfully found the form tag, remove its action attribute and replace it with the following text:

  onsubmit="return doJcap();"

More amendments in Notepad

Now save the file back to disk, and close Notepad. All that is required now is a small change to the jcap.js file that was saved in C:\Program Files\Microsoft\Exchange Server\v14\ClientAccess\Owa\auth\jcap. Right-click the jcap.js file, and select Edit. It should open in Notepad. On the line that begins with var imgdir, you need to change the path to point to the current location of the cimg folder. Change it so that the beginning of the line looks like this:

  var imgdir = "/owa/auth/jcap/cimg/";

Defining the path to the image files

Save the file, and we're finished. The next time you open the FBA logon page, it should look something like this. Also shown is the alert message displayed if the typed text does not match the CAPTCHA text.

Internet Explorer
The modified FBA logon page in IE

Outlook Web With WAP
Copyright © 2018 Lee Derbyshire. All rights reserved.