Adding Google no-captcha reCAPTCHA Validation To Your Microsoft Exchange 2010 Outlook Web App Forms-Based Authentication Logon Page
In this article, I will describe how to add the new no-captcha recaptcha widget to your Outlook Web App 2010 Forms-based Authentication page. I am not entirely sure that it makes it any more secure, but many people are nevertheless interested in doing it, so here goes…
If you want to try it yourself, you’ll need to go to the reCAPTCHA site, and get a Public key and a Private key for your web site. These will be used in the code that we add to the FBA logon page. I am not sure if older keys (generated for the original version of recaptcha) are still compatible. My first experiment with this suggests that they might not be. Remember when you create the key that you must use the public name for your OWA site, and then use that name in your URL when doing your testing. You can’t generate a key for one server name, and then use a different one in your URL – recaptcha will complain.
So, first we create this additional ‘proxy’ page on our server. I put it in my C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\auth folder (along with the existing FBA files). I called it Recaptcha.aspx, and it has the following contents (created in Notepad). Note that you should use your own reCAPTCHA PRIVATE key where it says “6Le8H…”.
<% @ Page AspCompat=True Language = "VB" %> <% ' Put your own private key in the next line Dim strPrivateKey As String = "6Le8H....." Dim strResponse = Request("response") Dim objWinHTTP As Object objWinHTTP = Server.CreateObject("WinHTTP.WinHTTPRequest.5.1") objWinHTTP.Open("POST", "https://www.google.com/recaptcha/api/siteverify", False) objWinHTTP.SetRequestHeader("Content-type", "application/x-www-form-urlencoded") Dim strData As String = "secret=" & strPrivateKey & _ "&response=" & strResponse objWinHTTP.Send(strData) Dim strResponseText = objWinHTTP.ResponseText Response.Write(strResponseText) %>
Next, make a backup of the logon.aspx file in the same folder, because we now need to open, and amend, it using Notepad. First, find the <form> tag by searching (using CTRL-F) for text “<form”. When you find it, change its action attribute to an empty string, like this (I’m only showing the first part of the line):
<form action="" method="POST" name="logonForm" ENCTYPE=
Then, search for the text basicExplanationContent. You should find it in a block like this:
<td><%=basicExplanationContent %></td> </tr> <% } %> </table> </td> </tr> <% } %> <tr><td><hr></td></tr>
Immediately after that last line, insert the following code. Again, note that instead of 6Le8H…, you should insert your own reCAPTCHA PUBLIC key:
Nearly there, now. Search for the text “clkLgn”. You’ll find it on a line that ends like this:
(Strings.IDs.LogOn) %>" onclick="clkLgn()"
Change it to read
(Strings.IDs.LogOn) %>" onclick="return myClkLgn()"
so that it calls our added code (above) when the user submits the form. Save the file, close Notepad, and that should be it. Your FBA logon page should now look like this: