Customizing the Outlook Web Access Logon Page

Tópico modificado em: 2005-03-21

In Microsoft® Exchange Server 2003, a new authentication mechanism was introduced for Microsoft Office Outlook® Web Access for Exchange Server 2003. Forms-based authentication provides a central Web logon screen for users to authenticate through. When you use forms-based authentication, your logon credentials are stored in a temporary cookie. Storing these credentials in a cookie provides a more secure mechanism for ensuring session logout and automatic timeout.

This topic provide information intended to help Exchange administrators customize their logon page so that it fits their organization’s needs.

Important Note About Customizing Outlook Web Access

This topic describes changes that developers can make to, among other objects, Outlook Web Access source .asp, .css, .htc, .js, and .xsl files that exist in the \Exchweb folder. Be aware that any changes you make to these objects will be undone or will not work properly when you install service packs. Also, Microsoft Developer Support cannot support customization to these Outlook Web Access objects.

Enabling Forms-based Authentication

Before you start customizing the logon page, you should enable forms-based authentication (FBA) on your test server.

To enable forms-based authentication

  1. Open Exchange System Manager.

  2. Navigate to the HTTP protocol.

  3. Right click the Exchange Virtual Server, and then click Properties.

    Dica

    Forms-based authentication can be set on any Exchange Virtual Server that you have on your server; these examples assume the default settings.

    Vá para as Propriedades do Servidor Virtual para habilitar a autenticação baseada em Formulários

  4. On the Settings tab, select Enable Forms Based Authentication.

    Reinicie o IIS a partir da guia Propriedades dos Servidores Virtuais

  5. Restart Microsoft Internet Information Service (IIS).

Dica

Forms-based authentication requires that Secure Sockets Layer (SSL) be configured on your server running IIS. For debugging purposes, Outlook Web Access offers a way to enable FBA through normal HTTP.

Aviso

Do not deploy this procedure into a production environment or your user logon information will be sent in an unencrypted state.

Aviso

Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.

To configure forms-based authentication to work without SSL for your development environment

  1. Open Registry Editor.

  2. Go to the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb

  3. If it does not exist already, add an OWA subkey to this key.

  4. Under the OWA subkey, add a DWord value named AllowRetailHTTPAuth.

  5. Set the value of this DWord to 1.

Premium Logon Page

The following figure displays the standard premium client logon page.

Página de logon do OWA Premium

Premium clients are defined as Microsoft Internet Explorer 5.01 and later versions.

Basic Logon Page

The following figure displays the basic client logon page.

Página de logon do OWA Basic

Basic clients are defined as Internet Explorer version 5 and earlier and other non-Microsoft browsers.

Changing the Basics

The most common things that organizations want to change are the strings and graphics on the logon page.

String Changes

The logon page was designed so that changing the strings would not be difficult. All strings in the page are defined at the top of the logon.asp file as constants.

To assist you in determining which strings to change, use the following table.

ID Const Comment

1

L_LoginButton_Text

Logon button caption

2

L_WindowTitle_Text

Logon page title

3

L_ImgAlt_Text

Alternative text for main Outlook Web Access logon page logo image

4

L_ShowUITitle_Text

Client options group text label

5

L_ShowDetail_Text

“what’s this” help text expand link

6

L_HideDetail_Text

“hide explanation” help text collapse link

7

L_ShowSimpleUI_Text

Basic client experience label

8

L_ShowComplexUI_Text

Premium client experience label

9

L_UIDescription_Text

“what’s this” expanded explanation of the premium client

10

L_UIBasicDescription_Text

“what’s this” expanded explanation of the basic client

11

L_ShowTrustTitle_Text

Security options group label

12

L_ShowPublicUI_Text

Public computer label

13

L_ShowTrustedUI_Text

Private computer label

14

L_PublicDescription_Text

“what’s this” expanded explanation of the public computer security option

15

L_BasicTrustDescription_Text

Explanation of the private computer security option for the basic client

16

L_PremiumTrustDescription_Text

“what’s this” expanded explanation of the private computer security option

17

L_TrustWarning_Text

Warning policy message for users selecting the private computer security option

18

L_Password_Text

Label for the password input field

19

L_UserName_Text

Label for the username input field

20

L_DialogRelogon_Text

Warning message when user has timed out

21

L_DialogCloseButton_Text

 

22

L_ExpireWarning_Text

Security information regarding Outlook Web Access and time-out period at bottom of logon page

23

L_401User_Text

Unauthorized http response

24

L_LogoffUser_Text

String used to notify users that they have been logged off

25

L_RelogonUser_Text

Session expired message

26

L_ErrNoActiveScritp1_Text

No script support warning

27

L_ErrorClearCerts_Text

S/MIME error message

28

sGuid

 

29

sCmpGuid

 

30

Scheme_HTTPS

 

31

Scheme_HTTP

 

The following figure illustrates most of the major strings listed in the table.

Todas as cadeias de caracteres de texto exibidas na página de logon do OWA

Logon Page Loading

The logon page is one of several pages involved in the authentication process for Outlook Web Access users. When a user is asked to authenticate, he or she is normally redirected to the http://servername/exchange directory. This directory contains the default owalogon.asp file.

Language Redirector

The owalogon.asp file evaluates the HTTP_ACCEPT_LANGUAGE header of the browser and determines which localized version of the Outlook Web Access logon form to display. After owalogon.asp determines which version to use, the user is redirected to the logon.asp page. It is this page that this topic will cover.

Protect Your Changes during Exchange Server Updates

The owalogon.asp redirect page can also be used to isolate the changes you make to your logon.asp pages from changes that may occur when Exchange Server 2003 service packs are applied. Isolating these changes is important because, when Exchange service packs and other updates are applied, they will typically overwrite any changes that you may have made to the logon.asp file. By saving your logon.asp customizations to a different file name (for example, logon2.asp) and changing the owalogon.asp page to point to your new pages, you can reduce the changes you need to make during service pack updates. Of course, you should compare any new logon.asp pages applied during updates with your custom page to make sure that you incorporate any changes that occurred during the update back into your custom page.

To point to your custom logon page, update the two occurrences of logon.asp from the following section at the end of the owalogon.asp page.

for each szSubString in arLanguages
   szLanguage = Split(szSubString, ";", -1, 1)
   szMSFTLang = LangMap.Item(UCase(szLanguage(0)))
   for each folder in folders
      if (szMSFTLang = UCase(folder.Name)) then
         Server.Transfer("./" & folder.Name & "/logon.asp")
      end if
   next
next
Server.Transfer("./" & "USA" & "/logon.asp")

Localized Logon Pages

Outlook Web Access has a localized version of the logon.asp page for each language that is supported by Outlook Web Access. If your organization supports multiple languages in Outlook Web Access, and you make changes to logon.asp, remember to make those changes for each language that your organization supports.

Visible Logon Parameters

The logon page expects that the user will enter his or her user name in the form of either domain\username, or user principal name (UPN).

In addition to the user name, the password must be provided to successfully log on.

Other visible parameters that are transferred when the user logs on include the client experience and the security options.

Post Parameters

The logon page submits its values in a post to owaauth.dll. The following table shows the values that are supported.

Parameter Values Comment

username

String

The user logon name. Can be either UPN or domain\user.

password

String

The user password.

destination

String

Target URL for the logon page.

flags

Bitmask

Binary mask that contains logon information regarding client experience, security setting, and gzip compression support

Of these parameters, the flags parameter deserves further explanation.

Flags parameter

The flags parameter allows the enabling and disabling of certain Outlook Web Access features. In Exchange Server 2003, this parameter controls the following features.

Security Level

The logon page provides two different security settings. These settings specify whether a computer that the user is logging on to is a public computer or private computer. When a private computer is selected, the user session changes and the time-out value for his or her session is increased to the value specified in the TrustedClientTimeout registry subkey.

  • To enable this feature, perform a bitwise OR of the flags value with the binary value 0100 (decimal value = 4).
  • To disable this feature, perform a bitwise AND of the flags value with the binary value 1011 (decimal value = 11). By default, this feature is disabled.

Compression Level

Outlook Web Access supports Internet standard gzip compression. Unfortunately, not all browsers that support gzip compression do it the same way. Therefore, the logon page provides logic to determine specifically which version and software update level of Microsoft Internet Explorer is being used. If Outlook Web Access determines that a version is being used that does not provide sufficient gzip support, this feature can be disabled by using forms-based authentication and by setting the compression level flag.

  • To disable this feature, perform a bitwise OR of the flags value with the binary value 0010 (decimal value = 2).
  • To enable this feature, perform a bitwise AND of the flags value with the binary value 1101 (decimal value = 13). By default, this feature is enabled.

Client Experience

By default, Outlook Web Access provides the rich client experience for browsers that support it and the basic experience for other browsers. Some users may want to use the basic experience although their browser supports the rich experience. One scenario where a use might make this selection is to gain a performance improvement when he or she has not used Outlook Web Access on a specific computer but needs fast access to his or her Inbox.

  • To force the client experience to basic, perform a bitwise OR of the flags value with the binary value 0001 (decimal value = 1).
  • To force a client to use the premium client, perform a bitwise AND of the flags value with the binary value 1110 (decimal value = 14).

For More Information

The following resources offer additional information to help you customize the Outlook Web Access logon page.