Unsupported, but nice: Customize Forms-based logon page in your ISA Server 2004
Did you know that you can customize Forms-based logon (FBA) page for OWA users in your ISA Server 2004? Yes. You can!
At the beginning a little bit of theory.
Forms-based authentication is more secure method than classic basic authN, how to authenticate users to your web sites, even to other sites than Exchange. There are several good reasons why to use FBA together with ISA Server 2004 firewalls for protecting web servers.
For example, consider the following:
- If the session is inactive for a period of time, the session will expire. The only way to gain access again is to re-authenticate.
- Users can no longer click the Remember my password check box in Internet Explorer.
- Like the session inactivity setting, if you log out, you really log out. The only way to gain access again is to re-authenticate.
- Previously in Exchange 2000, the user had to complete the logout session by closing the browser window.
Important considerations:
- ISA Server 2004 firewalls can use FBA without being a member of the Active Directory domain. The ISA firewall can carry out pre-authentication is does via the RADIUS protocol (with the help of http://support.microsoft.com/default.aspx?scid=kb;en-us;884560)
- After a user types the username and password to the logon page dialog box, the ISA firewall validates this data and if it is appropriate, forwards credentials in the Basic AuthN format to the protected web server.
- Note that this communication is not secure and you should protect the path between an ISA firewall and the Web server with SSL or IPSec encryption
What´s interesting:
- You can also use FBA pre-authentication on the ISA firewall for access to other IIS web servers, Sharepoint sites, etc. The challenge in these cases is that you have to offer consistent and non-confusing logon page.
In this article I will describe how to change the face and localize the welcome text on FBA page.
You have to be careful because Microsoft technical support does not support this procedure. I’ve tested it and it works and looks very nice. So test it out and give it a try!
When using Forms-based authentication as an authentication method for the Web listener, the ISA firewall displays the following window:
It looks good and offers Forms-based logon for OWA users; so far, so good.
However, you might want to provide a different user experience. For example, you can see a modified page on the following picture:
Now when you use Forms-based authentication logon for other web sites, your users won’t be confused with the “OWA like” logon page. Well, I am not a very good web designer but … it works. 🙂
How to modify source files used for the FBA page:
- After the default installation, ISA Server 2004 system files are placed to the following location c:\program files\Microsoft ISA Server. Files used for the Forms-based logon page are place in the subdirectory called CookieAuthTemplates. First of all, backup this subdirectory! Simply copy and paste it somewhere.
- There are important files for IE and non-IE browsers, image files and the text file with the comments and texts which is displayed on the FBA page.
- Now you can modify LogonMSIERich.htm, strings.txt and corresponding image files. It is more about web page editing than configuring of the firewall.
- You should modify other .htm files, as well. For example LogoffMSIERich.htm, LogonNotMSIERich.htm, etc. It depends on your requirements.
- Don’t change names of the source files and don’t add any line to the strings.txt. Otherwise the firewall services won´t start.
How to replace the original files:
- Just copy newly modified files to the c:\program files\Microsoft ISA Server\CookieAuthTemplates directory.
- Restart the Microsoft Firewall service (fwsrv)
- During the starting of the Microsoft Firewall service, all new files are reloaded and used by an ISA Server.
After you try to access the page protected by the ISA firewall, you will see the new design.
