Implementing Captcha Validation with OWA 2007 and Forms-Based Authentication

A while back, I wrote an article describing how to add a CAPTCHA image and text input field to the Outlook Web Access 2003 Forms-based Authentication logon form.  Now that Exchange 2007 is established in the marketplace, I have received a number of requests for an updated article describing how to do the same for Exchange 2007.  While the procedure is mostly similar to the OWA 2003 version, there are several important differences in the detail.

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. You will no doubt have seen this implemented in various web pages as an image of a visually distorted common word, which must be typed into an input field, thus proving that you are indeed a real person. This has become necessary to prevent the actions of bots, which roam the web looking for opportunities to inject spam into message boards, etc. Shown here in Figure 1 is an example of such an image. The idea is that a human user will recognize the word ‘part’, whereas a spambot will not.

Figure 1:
 A CAPTCHA image displaying the word ‘part’

OWA Forms-based Authentication is very secure by itself, of course, since you still need to supply valid credentials to log in, but there is still a significant amount of interest in adding CAPTCHA validation to it. Here, I will show how it can be done by modifying Exchange’s logon.aspx file. I have chosen to use a freely available CAPTCHA script written by Jonathan Feaster, which is available for download from Archreality . This script uses JavaScript, and unlike some other solutions has the advantage of not requiring a second .aspx page to process the form input; the validation is done by the user’s browser before the credentials are sent to the OWA server. Any CAPTCHA scripts which require a second page will not work with FBA, since there is no opportunity to insert anything between the logon page and the OWA GUI.


First, extract the files to a suitable place on the server. There are two .js files, and a folder named cimg, which contains the word images to be displayed on the logon page. Place the entire extracted jcap folder in the C:\Program Files\Microsoft\Exchange Server\ClientAccess\Owa\auth folder as shown in figure 2:

Figure 2:
 The extracted jcap files in the auth folder

Next, use Explorer to locate the logon.aspx file that creates the FBA logon page. This is inside the same auth folder that you just placed the jcap folder into. Before doing anything else, make a backup copy of the logon.aspx file. Right-click it, then select Copy, then right-click the folder, and then select Paste. This creates a copy of your logon.aspx file named ‘Copy of logon.aspx’ . If your modifications are unsuccessful, you will need to revert to this original file to restore FBA functionality.  Now, open the logon.aspx using Notepad. I’m going to insert the image just above the ‘Public Computer’ radio button, so press F3 and search for the text rdoPblc . Assuming that you successfully found the text, insert the following just before the preceding <tr> tag:

<script type=”text/javascript” language=”javascript” src=”jcap/md5.js”></script>
<script type=”text/javascript” language=”javascript” src=”jcap/jcap.js”></script>
<script type=”text/javascript” language=”javascript”>                                                                                                                function doJcap()
if (jcap() == true)
{document.forms[0].action = “owaauth.dll”; return true;}
return false
<tr><td colspan=”2″ align=”center”>

Enter the code as it is shown below

<script language=”JavaScript”>sjcap();</script>
<noscript>This resource requires a JavaScript enabled browser</noscript>

The result should look something like figure 3:

Figure 3:
 The amended contents of logon.aspx in Notepad

Next, press CTRL-HOME to go back to the top of the file, and then press CTRL-F, and search for the text <form (without a closing angled bracket). Assuming that you successfully found the form tag, remove its action attribute and replace it with the following text:

onsubmit=”return doJcap();”

This part of the page should now look like that shown in figure 4:

                                                 Figure 4: The modified <form> tag

Now save the file back to disk, and close Notepad. All that is required now is a small change to the jcap.js file that was saved in C:\Program Files\Microsoft\Exchange Server\ClientAccess\Owa\auth\jcap . Right-click the jcap.js file, and select Edit.  It should open in Notepad. On the line that begins with var imgdir, you need to change the path to point to the current location of the cimg folder. Change it so that the beginning of the line looks like this:

var imgdir = “/owa/auth/jcap/cimg/”;

The complete line looks like this:

Figure 5:
 Defining the path to the image files

Save the file, and we’re finished. The next time you open the FBA logon page, it should look something like this (figure 6). Also shown is the alert message displayed if the typed text does not match the distorted text in the image when you click the Log On button.

Figure 6:
The modified FBA logon page

Please remember that due to updates made by Exchange service packs and patches, future versions of the logon.aspx file may be different to the version shown. The basic principles described should, however, remain the same.


About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top