Wednesday, November 5, 2008

Removing OWA 2007 Logon options -

A number of clients have been asking for customizations on the OWA 2007 logon page. There are a number of ways to customize the logon page the one I am going to focus on here dealing mainly with the option for a public logon vs. the private logon as seen here and removing the choice for using either a public or private computer.

There are several reasons why an administrator or IT department would want to change these default setting. First would be to increase security, removing the options at this point would default the logon to a public or shared computer logon. The effect of this would be that no username information is saved on a computer (good for shared or public machines) which would give a would be attacker half the information needed and the default timeout value is used incase the user forgets to logoff decreasing the chance someone else could use the session. The second reason to change this setting would be for convenience and decreasing help desk calls, by taking away the options the user does not have to be confused by what type of logon terminal is being used. For those networks that only allow internal access to OWA this can be made even more convenient by setting the logon page to automatically use a logon domain enabling users to just use their username rather than remembering domain\username.

With the default settings the user is given the option to choose a public or shared computer, or a private computer.

Choosing a public or shared computer will give the user a timeout period default of 15 minutes while choosing a private computer the default timeout value is 8 hours.

As noted above removing the options for choosing the type of terminal defaults the logon to public which would have the potential for aggravating some users that use OWA as their primary means for email. This can be remedied by setting the cookie timeout value for the public logon which will be addressed later in this article.

So to start the first thing to do to remove the logon options will be to modify logon.aspx files located in the Exchange directory at "x:\exchange_path\clientaccess\owa\auth\logon.aspx" A good practice before modifying this file would be to make a backup copy. To modify the file to remove the options the following code will have to be removed from the file. The easiest thing to do for this would be to look for the beginning and ending values.

<tr><td><hr></td></tr>

<tr>

<td>

<table <%=tblStyle%>>

<col>

<col"w100">

<tr id=trSec>

<td colspan="2">

<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.Security) %>

<%=(IsRtl ? "&#x200F;" : "&#x200E;") + LocalizedStrings.GetHtmlEncoded(Strings.IDs.OpenParentheses) %>

<a href="#" id="lnkShwSec" onclick="clkExp(’lnkShwSec’)">

<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ShowExplanation) %>

</a>

<a href="#" id="lnkHdSec" onclick="clkExp(’lnkHdSec’)" style="display:none">

<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.HideExplanation) %>

</a>

<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.CloseParentheses) + (IsRtl ? "&#x200F;" : "&#x200E;") %>

</td>

</tr>

<tr>

<td><input id="rdoPblc" type="radio" name="trusted" value="0""rdo" onclick="clkSec()" checked></td>

<td><label for="rdoPblc"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ThisIsAPublicOrSharedComputer) %></label></td>

</tr>

<tr id="trPubExp""expl" style="display:none">

<td></td>

<td><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.PublicExplanation) %></td>

</tr>

<tr>

<td><input id="rdoPrvt" type="radio" name="trusted" value="4""rdo" onclick="clkSec()"></td>

<td><label for="rdoPrvt"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ThisIsAPrivateComputer) %></label></td>

</tr>

<tr id="trPrvtExp""expl" style="display:none">

<td></td>

<td><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.PrivateExplanation) %></td>

</tr>

<tr id="trPrvtWrn""wrng" style="display:none">

<td></td>

<td><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.PrivateWarning) %></td>

</tr>

</table>

</td>

</tr>

<tr><td><hr></td></tr>#

<table <%=tblStyle%>>#

<col>#

<col"w100">

<% if (!IsDownLevelClient) { %>

<tr>

<td><input id="chkBsc" type="checkbox""rdo" onclick="clkBsc();"></td>

<td nowrap><label for="chkBsc"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.UseOutlookWebAccessBasicClient) %></label></td>

</tr>

<tr id="trBscExp""disBsc" style="display:none">

<td></td>

<td><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.BasicExplanation) %></td>

</tr>

<% } %>

<% else { %>

<tr>

<td><input id="chkBsc" type="checkbox""rdo" onclick="clkBsc();" disabled checked></td>

<td nowrap><label for="chkBsc"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.UseOutlookWebAccessBasicClient) %></label></td>

</tr>

<tr id="trBscExp""disBsc">

<td></td>

<td><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.BasicExplanation) %></td>

</tr>

<% } %>

</table>


The end result will give you the following logon screen.

Once this is accomplished it will have to be decided as to whether or not the default cookie timeout values are sufficient. If this is being done on a network that accesses OWA only internal and a user have to VPN in then the default values for the public cookie timeout should be modified. If it is going to be accessed from anywhere then the administrator or IT team should seriously consider keeping the default value.

Tune in soon for how to modify cookie timeout values for public and private computer logons.

No comments: