Adding Google no-captcha reCAPTCHA Validation To Your Microsoft Exchange 2013 Outlook Web App Forms-Based Authentication Logon Page

[ 35 ] Comments

Having already written an Outlook Web App reCaptcha article for Exchange 2010, I thought I’d try it with Exchange 2013. Here are the results.

If you want to try it yourself, you’ll need to go to the reCAPTCHA site, and get a Public key and a Private key for your web site. These will be used in the code that we add to the FBA logon code.

ReCAPTCHA validates user input by posting it to the Google reCAPTCHA validator. We need to create an XMLHTTPRequest requester (using JavaScript) to POST the user input to Google. The first problem I encountered was that XMLHTTPRequest refuses to POST data to a different site other than the one you’ve loaded the current page from. This, apparently, is thanks to a security policy called the Same Origin Policy. This means we need to create an additional page on our own server to act as a proxy, and do the POSTing for us. This extra page returns a success or fail code to the FBA page, telling it whether to proceed with the logon, or not. It turns out that this has the added benefit of us having to put our private key in the source for the FBA page (thus making it no longer really private).

So, first we create this additional ‘proxy’ page on our server. I put it in my C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth folder (along with the existing FBA files). I called it Recaptcha.aspx, and it has the following contents (created in Notepad). Note that you should use your own reCAPTCHA PRIVATE key where it says “6LfPH…”.

<% @ Page AspCompat=True Language = "VB" %>
' Put your own private key in the next line
Dim strPrivateKey As String = "6LfPH..."
Dim strResponse = Request("response")
Dim objWinHTTP As Object
objWinHTTP = Server.CreateObject("WinHTTP.WinHTTPRequest.5.1")
objWinHTTP.Open("POST", "", False)
objWinHTTP.SetRequestHeader("Content-type", "application/x-www-form-urlencoded")
Dim strData As String = "secret=" & strPrivateKey & _
  "&response=" & strResponse
Dim strResponseText = objWinHTTP.ResponseText

Next, make a backup of the logon.aspx file in the same folder, because we now need to open, and amend, it using Notepad. First, find the <form> tag by searching (using CTRL-F) for the text “<form”. When you find it, change it’s action attribute to an empty string, like this (I’m only showing the first part of the line):

<form action="" method="POST" name="logonForm" ENCTYPE=

Then, search for the text showPasswordCheck checkboxLabel. You should find it in a line that begins like this:

<div class="showPasswordCheck checkboxLabel">

Immediately after the closing </div> a few lines later, insert the following code. Again, note that instead of 6Le8H…, you should insert your own reCAPTCHA PUBLIC key:

<script type="text/javascript">
function myClkLgn()
  var oReq = new XMLHttpRequest();
  var sResponse = document.getElementById("g-recaptcha-response").value;
  var sData = "response=" + sResponse;"GET", "/owa/auth/recaptcha.aspx?" + sData, false);
  if (oReq.responseText.indexOf("true") != -1)
    document.forms[0].action = "/owa/auth.owa";
    alert("Invalid captcha response");
    return false;
<script src="" async defer></script>
<div class="g-recaptcha" data-sitekey="6Le8H....."></div>

Nearly there, now. Search for the text “clkLgn”. You’ll find it on a line that starts like this:

<div class="signInEnter"><div onclick="clkLgn()"

Change it to read

<div class="signInEnter"><div onclick="return myClkLgn()"

so that it calls our added code (above) when the user submits the form. Save the file, close Notepad, and that should be it.

35 Responses to Adding Google no-captcha reCAPTCHA Validation To Your Microsoft Exchange 2013 Outlook Web App Forms-Based Authentication Logon Page

  1. Anonymous says:

    I did everything, but still shows me the same page, there is something extra to do

  2. angel medina says:

    I did everything, but still shows me the same page, there is something extra to do

  3. angel medina says:

    I did everything, but still shows me the same page, there is something extra to do???

    • admin says:

      Does it show you the ‘Invalid Captcha Response’ message? Or does it just sit there, apparently doing nothing?

  4. Daniel Leung says:

    I have the same problem as Angel Medina. There is no show the Captcha. In addition, there is different on this.

    You have this

    I have this

    My Exchange Server is SP1

  5. Daniel Leung says:

    You have this

    “showPasswordCheck checkboxLabel”

    I have this

    “showPasswordCheck signInCheckBoxText”

  6. Daniel Leung says:

    As requested, I send the logon.aspx to the email shown above.

  7. daniel leung says:

    I think those code is for Classic ASP (.asp) not ASP.NET (.aspx)
    I read some of the website like

    I found the order as similar as Classic ASP. The Exchange 2013 is using ASP.NET. It might be a problem.

    • admin says:

      Hi Daniel. The code in the Recaptcha.aspx is VB.Net running under ASP.Net . The code added to the logon.aspx file is JavaScript.

  8. John says:

    Has there been any update to this???
    I also have “showPasswordCheck signInCheckBoxText”

    and I have pasted the code in although the page loads just as it always has without the captcha and you cannot login probably due to the fact that the call to the function isn’t working.

    • admin says:

      Hi John. I think I ended up solving that issue (showPasswordCheck signInCheckBoxText) by email with the poster, and never got around to putting the resolution here. I’ll see if I can work out what I did.

  9. John says:

    Thanks! Looks forward to an update on this post. I am currently running Exchange 2013 with the latest Cumulative Update 10 available as of this comment post. I believe Google has also updated their recaptcha stuff a bit since this post.

  10. Peter Hatzis says:

    Hello. Is there an update for Exchange 2013 CU 9? It doesn’t seem to work. Captcha doesn’t appear in OWA logon screen.

  11. Peter Hatzis says:

    Hello. Sorry for the late reply. You updated the article? Is there a link with new instructions for the implementation?

    • admin says:

      It’s the same article. I didn’t want to leave the old one unchanged, since Google have made changes that mean the old procedure won’t work any more. The procedure in the new article works fine here, but you may find that something needs changing to get it to work in your own environment. Sometimes it’s hard to get something that works correctly first time in every setup, and it’s only be getting feedback that the solution becomes more general.

  12. Peter Hatzis says:

    Hi. I tested again but nothing. Can’t find showPasswordCheck checkboxLabel in the logon.aspx file. Only but not sure where to place the code after that. Is the below correct?

    function myClkLgn()

  13. B2H says:

    When I disable java script on browser, it can login without captcha?
    Could you fix this code ?

    • admin says:

      Okay, I’ll take a look.

    • admin says:

      Hello again B2H. Can you tell me where you disabled javascript in your browser? If I do it here, I can’t even get it to display the login page at all. I just get a warning that I need to enable javascript to use OWA. Perhaps I am trying a different setting to you?


  14. Ed C says:

    I can confirm that this is working (kinda) in Exchange 2016 CU1. The only difference is that I put the JS code after the closing div for div class=”showPasswordCheck signInCheckBoxText”.

    However, one scenario where it is an issue is where the user does the following:

    #1. Verifies the captcha first.
    #2. Fills in the username and password.
    #3. Presses Enter after the password.

    It seems like the JS onclick isn’t executed and then the form just clears out. I’m not sure if this is an issue on other versions,

    There is an interesting line where:
    div class=”hidden-submit”
    input type=”submit” tabindex=”-1″/

    I tried onclick and onsubmit on there with no success. Any ideas?

    • admin says:

      onclick might have worked there, but onsubmit is an attribute of the form, not the input control. Try using the IE debugging console F12 to see how the code execution goes.

  15. Ed C says:

    I figured it out. I had to relocate the myClkLgn script to before the form. It looks like (atleast in EX2016) that there’s a JS function that monitors for the enter button. So I change
    div id=”lgnDiv” class=”logonDiv” onKeyPress=”return checkSubmit(event)”
    div id=”lgnDiv” class=”logonDiv” onKeyPress=”if (event.keyCode==13) {myClkLgn();}”
    Works nice now with the desired enter effect in all browsers. Page still reloads if the captcha isn’t filled out after the alert box (on certain browsers) but I can live with that.

  16. Ed C says:

    My only problem now is to figure out how to teach people how to use the captcha. :(

  17. Pheakdey THON says:

    My company requires me to add google recaptch on exchange owa 2013. I read the tutorial above and another a lot. but I still can’t configure it on exchange owa 2013. Please anyone help me

  18. Lisa Deo says:

    I have followed the instructions as above. Re-captcha works BUT the users can still login to OWA even without going through re-captcha. May i know how can i restrict this or make users go through re-captcha first before actual OWA sign-in?

  19. Anonymous says:

    I have sent the email to you with attached Logon.apsx file.

  20. Masab Raghib says:

    Has somebody managed to get captcha successfully implemented ?

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>