Customizing the Outlook Web Access Logon Page

In Microsoft® Exchange Server 2003, a new authentication mechanism was introduced for Microsoft Office Outlook® Web Access for Exchange Server 2003. Forms-based authentication provides a central Web logon screen for users to authenticate through. When you use forms-based authentication, your logon credentials are stored in a temporary cookie. Storing these credentials in a cookie provides a more secure mechanism for ensuring session logout and automatic timeout.

This topic provide information intended to help Exchange administrators customize their logon page so that it fits their organization’s needs.

Important Note About Customizing Outlook Web Access

This topic describes changes that developers can make to, among other objects, Outlook Web Access source .asp, .css, .htc, .js, and .xsl files that exist in the \Exchweb folder. Be aware that any changes you make to these objects will be undone or will not work properly when you install service packs. Also, Microsoft Developer Support cannot support customization to these Outlook Web Access objects.

Enabling Forms-based Authentication

Before you start customizing the logon page, you should enable forms-based authentication (FBA) on your test server.

To enable forms-based authentication

  1. Open Exchange System Manager.

  2. Navigate to the HTTP protocol.

  3. Right click the Exchange Virtual Server, and then click Properties.


    Forms-based authentication can be set on any Exchange Virtual Server that you have on your server; these examples assume the default settings.

    Open HTTP virtual server properties

  4. On the Settings tab, select Enable Forms Based Authentication.

    Enable Forms based auth on HTTP VS properties

  5. Restart Microsoft Internet Information Service (IIS).


Forms-based authentication requires that Secure Sockets Layer (SSL) be configured on your server running IIS. For debugging purposes, Outlook Web Access offers a way to enable FBA through normal HTTP.


Do not deploy this procedure into a production environment or your user logon information will be sent in an unencrypted state.


Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.

To configure forms-based authentication to work without SSL for your development environment

  1. Open Registry Editor.

  2. Go to the following registry key:


  3. If it does not exist already, add an OWA subkey to this key.

  4. Under the OWA subkey, add a DWord value named AllowRetailHTTPAuth.

  5. Set the value of this DWord to 1.

Premium Logon Page

The following figure displays the standard premium client logon page.

OWA Premium logon page

Premium clients are defined as Microsoft Internet Explorer 5.01 and later versions.

Basic Logon Page

The following figure displays the basic client logon page.

OWA Basic logon page

Basic clients are defined as Internet Explorer version 5 and earlier and other non-Microsoft browsers.

Changing the Basics

The most common things that organizations want to change are the strings and graphics on the logon page.

String Changes

The logon page was designed so that changing the strings would not be difficult. All strings in the page are defined at the top of the logon.asp file as constants.

To assist you in determining which strings to change, use the following table.

ID Const Comment



Logon button caption



Logon page title



Alternative text for main Outlook Web Access logon page logo image



Client options group text label



“what’s this” help text expand link



“hide explanation” help text collapse link



Basic client experience label



Premium client experience label



“what’s this” expanded explanation of the premium client



“what’s this” expanded explanation of the basic client



Security options group label



Public computer label



Private computer label



“what’s this” expanded explanation of the public computer security option



Explanation of the private computer security option for the basic client



“what’s this” expanded explanation of the private computer security option



Warning policy message for users selecting the private computer security option



Label for the password input field



Label for the username input field



Warning message when user has timed out






Security information regarding Outlook Web Access and time-out period at bottom of logon page



Unauthorized http response



String used to notify users that they have been logged off



Session expired message



No script support warning



S/MIME error message













The following figure illustrates most of the major strings listed in the table.

All text strings displayed on OWA logon page

Logon Page Loading

The logon page is one of several pages involved in the authentication process for Outlook Web Access users. When a user is asked to authenticate, he or she is normally redirected to the http://servername/exchange directory. This directory contains the default owalogon.asp file.

Language Redirector

The owalogon.asp file evaluates the HTTP_ACCEPT_LANGUAGE header of the browser and determines which localized version of the Outlook Web Access logon form to display. After owalogon.asp determines which version to use, the user is redirected to the logon.asp page. It is this page that this topic will cover.

Protect Your Changes during Exchange Server Updates

The owalogon.asp redirect page can also be used to isolate the changes you make to your logon.asp pages from changes that may occur when Exchange Server 2003 service packs are applied. Isolating these changes is important because, when Exchange service packs and other updates are applied, they will typically overwrite any changes that you may have made to the logon.asp file. By saving your logon.asp customizations to a different file name (for example, logon2.asp) and changing the owalogon.asp page to point to your new pages, you can reduce the changes you need to make during service pack updates. Of course, you should compare any new logon.asp pages applied during updates with your custom page to make sure that you incorporate any changes that occurred during the update back into your custom page.

To point to your custom logon page, update the two occurrences of logon.asp from the following section at the end of the owalogon.asp page.

for each szSubString in arLanguages
   szLanguage = Split(szSubString, ";", -1, 1)
   szMSFTLang = LangMap.Item(UCase(szLanguage(0)))
   for each folder in folders
      if (szMSFTLang = UCase(folder.Name)) then
         Server.Transfer("./" & folder.Name & "/logon.asp")
      end if
Server.Transfer("./" & "USA" & "/logon.asp")

Localized Logon Pages

Outlook Web Access has a localized version of the logon.asp page for each language that is supported by Outlook Web Access. If your organization supports multiple languages in Outlook Web Access, and you make changes to logon.asp, remember to make those changes for each language that your organization supports.

Visible Logon Parameters

The logon page expects that the user will enter his or her user name in the form of either domain\username, or user principal name (UPN).

In addition to the user name, the password must be provided to successfully log on.

Other visible parameters that are transferred when the user logs on include the client experience and the security options.

Post Parameters

The logon page submits its values in a post to owaauth.dll. The following table shows the values that are supported.

Parameter Values Comment



The user logon name. Can be either UPN or domain\user.



The user password.



Target URL for the logon page.



Binary mask that contains logon information regarding client experience, security setting, and gzip compression support

Of these parameters, the flags parameter deserves further explanation.

Flags parameter

The flags parameter allows the enabling and disabling of certain Outlook Web Access features. In Exchange Server 2003, this parameter controls the following features.

Security Level

The logon page provides two different security settings. These settings specify whether a computer that the user is logging on to is a public computer or private computer. When a private computer is selected, the user session changes and the time-out value for his or her session is increased to the value specified in the TrustedClientTimeout registry subkey.

  • To enable this feature, perform a bitwise OR of the flags value with the binary value 0100 (decimal value = 4).
  • To disable this feature, perform a bitwise AND of the flags value with the binary value 1011 (decimal value = 11). By default, this feature is disabled.

Compression Level

Outlook Web Access supports Internet standard gzip compression. Unfortunately, not all browsers that support gzip compression do it the same way. Therefore, the logon page provides logic to determine specifically which version and software update level of Microsoft Internet Explorer is being used. If Outlook Web Access determines that a version is being used that does not provide sufficient gzip support, this feature can be disabled by using forms-based authentication and by setting the compression level flag.

  • To disable this feature, perform a bitwise OR of the flags value with the binary value 0010 (decimal value = 2).
  • To enable this feature, perform a bitwise AND of the flags value with the binary value 1101 (decimal value = 13). By default, this feature is enabled.

Client Experience

By default, Outlook Web Access provides the rich client experience for browsers that support it and the basic experience for other browsers. Some users may want to use the basic experience although their browser supports the rich experience. One scenario where a use might make this selection is to gain a performance improvement when he or she has not used Outlook Web Access on a specific computer but needs fast access to his or her Inbox.

  • To force the client experience to basic, perform a bitwise OR of the flags value with the binary value 0001 (decimal value = 1).
  • To force a client to use the premium client, perform a bitwise AND of the flags value with the binary value 1110 (decimal value = 14).

For More Information

The following resources offer additional information to help you customize the Outlook Web Access logon page.