Customizing the OWA FBA Logon Screen

There’s a reason that the OWA logon screen says to use “domain\user name” instead of just “user name,” and one of its side-effects is documented in Microsoft’s Knowledge Base article 820378 (http://support.microsoft.com/?kbid=820378).


The practical upshot of this is that if you authenticate with just a user name (without prefixing it with your domain name and a backslash), you will see this error message after trying to use the spelling checker: The spelling in this item can’t be checked. Try again later. The OWA session is then lost, and you have to log on again.


KB article 820378, mentioned above, documents how you can modify the logon.asp file on the Exchange server so that it inserts your NetBIOS domain name immediately before the form is submitted to the server. This solution works very nicely at the Exchange Server level, but one of the advantages of using the ISA firewall’s FBA feature is that it performs authentication before passing the traffic to the Exchange Server.


In other words, editing the logon.asp on the Exchange server, like the Microsoft article mentions, doesn’t work if you’re using ISA’s FBA.


All is not lost, though, because there is a workaround. ISA’s logon forms are located in the CookieAuthTemplates directory under the ISA Server 2004 installation directory. You’ll need to edit the strings.txt and logon_MSIERich.htm files to “fix” ISA Server’s OWA FBA logon screen. Follow these steps:



  1. Make sure to back up the CookieAuthTemplates directory. (I copied the entire directory and named it CookieAuthTemplates-backup.)
  2. Open the strings.txt file in Notepad or another editor and navigate to the line that reads 19=Domain\user name:. Remove the text Domain\ from this line.
  3. Go to the line that starts with 50=”Your session has expired.” Remove the domain\ text from this line.
  4. Go to the line that starts with “51=You could not be logged on to Outlook Web Access.” Remove the “domain\” text from this line as well.
  5. Save strings.txt. (You did make a backup copy didn’t you?)
  6. Open the logon_MSIERich.htm file in Notepad or another editor.
  7. Go to the line that contains the HTML <FORM> tag (search for the text “<FORM”).
  8. Just above the <FORM> tag, insert the following lines:


<script language=”JavaScript”>
<!–
function logonForm_onsubmit()
{
if (logonForm.username.value.indexOf(“@”) !=-1)
       return true;
logonForm.username.value = “<Your NetBIOS domain name>\\” + logonForm.username.value;
return false;
}
//–>
</script>


Of course, change the text “<Your NetBIOS domain name>” to match the domain name you want to use when authenticating users.



  1. Amend the <FORM> tag so that it appears as follows:


<FORM action=”/content/isa/CookieAuth.dll?Logon” method=”POST” name=”logonForm” autocomplete=”off” onsubmit=”logonForm_onsubmit();” />


Note that the only change you need to make to the line is addition of the onsubmit attribute. All together, the lines should appear like this:



<script language=”JavaScript”>
<!–
function logonForm_onsubmit()
{
if (logonForm.username.value.indexOf(“@”) !=-1)
      return true;
logonForm.username.value = “<Your NetBIOS domain name>\\” + logonForm.username.value;
return false;
}
//–>
</script>
<FORM action=”/content/isa/CookieAuth.dll?Logon” method=”POST” name=”logonForm” autocomplete=”off” onsubmit=”logonForm_onsubmit();” />



  1. Save the logon_MSIERich.htm file. (You made a backup, right?)
  2. Stop and restart the Microsoft Firewall service.

Note that this modification is unsupported by Microsoft, so if you need to call for support, make sure that you’re using the original copies of strings.txt and logon_MSIERich.htm (you made backups right?). I also recommend copying your customized versions of strings.txt and logon_MSIERich.htm somewhere, because an ISA Server update or service pack might overwrite them.


For your convenience, you can download the customized strings.txt and logon_MSIERich.htm files from the web site. The only modification you need to make is the NetBIOS name placeholder text (“<Your NetBIOS domain name>”) in the logon_MSIERich.htm file.


I hope this solution makes life easier for ISA Server admins, Exchange admins, as well as the end users.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top