Adding reCAPTCHA Validation To Your Outlook Web App 2010 Forms-Based Authentication Logon Page

[ 31 ] Comments

I have written Outlook Web App Captcha articles before, but since I recently encountered the reCAPTCHA utility, I thought it would be an interesting exercise to see if I could somehow incorporate that into the OWA 2010 Forms-Based Authentication (FBA) logon screen (if anyone’s interested in doing it with older versions, you’ll need to let me know).

If you want to try it yourself, you’ll need to go to the reCAPTCHA site, and get a Public key and a Private key for your web site.  These will be used in the code that we add to the FBA logon code.

ReCAPTCHA validates user input by posting it to the Google reCAPTCHA validator.  We need to create an XMLHTTPRequest requester (using JavaScript) to POST the user input to Google.  The first problem I encountered was that XMLHTTPRequest refuses to POST data to a different site other than the one you’ve loaded the current page from.  This, apparently, is thanks to a security policy called the Same Origin Policy.  This means we need to create an additional page on our own server to act as a proxy, and do the POSTing for us.  This extra page returns a success or fail code to the FBA page, telling it whether to proceed with the logon, or not.  It turns out that this has the added benefit of us not having to put our private key in the source for the FBA page (thus making it no longer really private).

So, first we create this additional ‘proxy’ page on our server.  I put it in my C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\auth folder (along with the existing FBA files).  I called it Recaptcha.aspx, and it has the following contents (created in Notepad).  Note that you should use your own reCAPTCHA PRIVATE key where it says “6LfPH…”.

<% @ Page AspCompat=True Language = "VB" %>
' Put your own private key in the next line
Dim strPrivateKey As String = "6LfPH..."
Dim strRemoteIP As String = ""
Dim strChallenge = Request("challenge")
Dim strResponse = Request("response")
Dim objWinHTTP As Object
objWinHTTP = Server.CreateObject("WinHTTP.WinHTTPRequest.5.1")
objWinHTTP.Open("POST", "", False)
objWinHTTP.SetRequestHeader("Content-type", "application/x-www-form-urlencoded")
Dim strData As String = "privatekey=" & strPrivateKey & _
  "&remoteip=" & strRemoteIP & _
  "&challenge=" & strChallenge & _
  "&response=" & strResponse
Dim strResponseText = objWinHTTP.ResponseText

Note that Google currently seem to accept anything in that remoteip value.  Next, make a backup of the logon.aspx file in the same folder, because we now need to open, and amend, it using Notepad.  First, find the <form> tag by searching (using CTRL-F) for text “<form”.  When you find it, change it’s action attribute to an empty string, like this (I’m only showing the first part of the line):

<form action="" method="POST" name="logonForm" ENCTYPE=

Then, search for the text basicExplanationContent.  You should find it in a block like this:

                <td><%=basicExplanationContent %></td>
            <% } %>
<% } %>

Immediately after that last line, insert the following code. Again, note that instead of 6LfPH…, you should insert your own reCAPTCHA PUBLIC key:

<script type="text/javascript">
function myClkLgn()
  var oReq = new XMLHttpRequest();
  var sChallenge = document.getElementById("recaptcha_challenge_field.value");
  var sResponse = document.getElementById("recaptcha_response_field.value");
  var sData = "challenge=" + sChallenge + "&response=" + sResponse;"GET", "/owa/auth/recaptcha.aspx?" + sData, false);
  if (oReq.responseText.indexOf("true") != -1)
    document.forms[0].action = "/owa/auth.owa";
    alert("Invalid captcha response");
<script type="text/javascript" src="">
<iframe src="" height="300" width="500" frameborder="0">
<textarea name="recaptcha_challenge_field" rows="3" cols="40">
<input type="hidden" name="recaptcha_response_field" value="manual_challenge">

Nearly there, now.  Search for the text “clkLgn”.  You’ll find it on a line that ends like this:

(Strings.IDs.LogOn) %>" onclick="clkLgn()"

Change it to read

(Strings.IDs.LogOn) %>" onclick="myClkLgn()"

so that it calls our added code (above) when the user submits the form.  Save the file, close Notepad, and that should be it.  Your FBA logon page should now look like this:

31 Responses to Adding reCAPTCHA Validation To Your Outlook Web App 2010 Forms-Based Authentication Logon Page

  1. Bintang says:

    Hi, thank you for the tutorial. What does RemoteIP refer to, is it owa public IP?

    • admin says:

      Hello BIntang. From what I can find out, remoteip is meant to be the client IP address. All examples I can find that actually use it send the server variable REMOTE_IP.

    • JG says:

      As far as I know, Google accepts any IP address as “RemoteIP”, but it’s best to submit the real client IP because they’re able to adjust CAPTCHA’s complexity based on this parameter.

      E.g. words become harder to read after multiple unsuccessful retries from the same remote IP.

  2. EN says:


    is any additional code if the server need a proxy to access ?


  3. AS says:

    Hello! I tested adding reCaptcha to our OWA Site. Recaptcha is visible but unfortunately when i resolve the captcha and i click on “Sign in” nothing happens. A new Captcha is generated but login is not possible. Any ideas?

    • admin says:

      Hello Andreas. Does it show the popup message to say the attempted solution is incorrect, or does it just go straight to a new set of words?

      after the line
      var sResponse = document.all.recaptcha_response_field.value;
      try inserting

      Does it show your response in a popup dialog box?

      • Andreas says:

        Hi! No, it happens nothing except a new set of words. I’ve inserted the alert-line and tried to login: Nothing. No Alert Popup is shown (IE and Firefox) :(

  4. Moshe Kaplan says:

    It looks like a very nice solution.
    Yet, end user can easily avoid the Captcha by manually setting the form action value and submit the user/password.
    Do you have any solution for that?

    Keep Performing,
    Moshe Kaplan

    • admin says:

      I suppose you might do something with cookies. Set a cookie on the login page, and check for its presence on the Startpgage.aspx page. But the captcha thing is only really there to prevent an automated login attempt. If a real person is attempting to login, it would just be easier for them to supply the requested word, than change the page source, which I suppose you might do in a javascript console, or object inspector, or whatever your browser offers.

      Ultimately, I don’t think you can defeat a determined attempt, only the crude ones.

  5. Ruben Zachetti says:

    I was traying to made this function to OWA Exchange 2007.

    but Dosen’t

    y just made this Little change to adapt

    document.forms[0].action = “/owa/owaauth.dll”;

    dosen’t work

    • admin says:

      OWA 2007 is a little different. Try just “owaauth.dll” instead of “/owa/owaauth.dll” .

      • Ruben Zachetti says:

        Thanks for the Help,

        I made the change, dosen’t Work.

        document.forms[0].action = “owaauth.dll”;

        Simply, dont appear a web, just a window asking for usar and pass.

        only the first time the user Access to the account shown a web, the next time. just a window asking user and pass.

        my regards,

        • admin says:

          Can you find the iis log file entries generated when you try to use it? Maybe the permissions on the recaptcha.aspx file don’t allow an anonymous iis user to access it without logging in first. Because these files are all accessed by the remote user before they log in, that means they need to allow anonymous access.

          Anyway, the iis log file entries should make things clearer.

  6. Ruben Zachetti says:

    2014-02-20 18:16:07 W3SVC1 GET /owa/ – 443 – Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) 401 2 2148074254

    i think that its the only record about.

    some idea ?

    • admin says:

      There should be a lot more after that line. That is just the first GET request, and the server replies that it now requires the user to log in. If you have FBA enabled, than you should see a request from the client asking the server for the logon form.

  7. opedro says:

    Hi i trie to put our OWA with this recaptach, everything works the captach is displayed but allways have one popup with “invalid captcha response”

    can someone help me to solve this question.

    thanks to all

  8. opedro says:

    hi can someone help me
    i trie to implement this recaptach on OWA exchange 2010 ( full updated )
    the problem is that allways have the popup ” invalid captcha response ” some think is not working anda can´t logon.

    • admin says:

      That message usually means that the letters you typed were incorrect. I think that if it was not working, you would probably not see any popup at all. One problem with reCAPTCHA is that the letters can be very hard to read (because they are supposed to be). At the moment, I can only suggest that you use the refresh button near to the captcha letters to get a different set of words from Google (the article uses Google’s reCAPTCHA add-in described at ).

      • opedro says:

        we trie all that you refer, but whitout luke.

        we put popups to view the words that is inserted and everything is correct.

        the only think thar we have some doubt is the remote IP.

        this remote IP is the public IP of the OWA machine or the IP from client connect to this service.

        thanks for your help

        • admin says:

          According to this , it’s the user’s IP address. At the time of writing, my experiments seemed to indicate that the Google end of the recaptcha process didn’t care what you put in there, but that they might make it a bit stricter in future. Perhaps they did make it stricter, in which case you’ll need to use the REMOTE_ADDR server variable.

  9. Agk says:

    hi admin,
    I tried to deploy your solution, the response is like Ruben explain. that is the iis log,
    2014-03-27 12:46:05 ::1 POST /owa/auth/logon.aspx url=http://localhost/owa/&reason=0 80 – ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 200 0 0 15

    As I understand, the status is 200, there is a problem with captcha.

    • admin says:

      What do you see? The first problem that Ruben described was seeing the grey login popup. Do you see that too? Are you also, like Ruben, trying to do it with Exchange 2007.

      The 200 status means that the logged request worked okay, but I don’t think you should see a POST to logon.aspx. You normally see a GET to logon.aspx, and then the POST goes to auth.owa (for OWA 2010) or owaauth.dll (for OWA 2007).

  10. Yavuz says:

    Thanks for tutorial.
    While trying to login owa with recaptcha on mobile phone, logon page reloads again and i cant login to page.
    But on PC, everything is ok except firefox.
    Help please.

    • admin says:

      Does Firefox do the same as the mobile phone? If so, then it will probably be easier to debug on Firefox (I’ve no idea how you’d do it on a phone). I don’t use Firefox much. Does it have a debugger? Have you tried it in Chrome? That’s very good for debugging. Unless, of course, it works okay in Chrome, in which case, debugging won’t help.

      If you can find the Firefox (or Chrome) debugger, try adding a breakpoint to the line that says

      var oReq = new XMLHttpRequest();

      and see if it ever hits the breakpoint when you try to log in.

  11. Yavuz says:

    Owa with recaptcha, doesn’t work on Iphone, windows and android phone.
    When trying login on mobile phone, I am not a robot check box gets green, after click login buton, page redirect owa login page again.

  12. Yavuz says:

    Yes, it works from desktop browser. But doesn’t work on mobile.

    • admin says:

      Hm. Well, I have no idea how to debug this from a mobile phone. But I can see something that might break it. I have changed the code in the article. Try changing the lines that include


      to use


      You can see the two changed lines if you go back to the article.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>