Customizing HTML Forms in ISA Server 2006
Microsoft® Internet Security and Acceleration (ISA) Server 2006 provides a variety of authentication methods that can be applied to Web publishing rules for clients accessing published Web servers. When forms-based authentication is selected, users are directed to an HTML form to provide authentication credentials. ISA Server provides default form sets used for forms-based authentication. These form sets can be customized, allowing you to provide a different look for the logon forms for different published Web sites.
This document describes ISA Server form sets and form set customization.
HTML Forms Overview
The following sections describe the HTML form sets that are included with ISA Server, and the structure of the ISA Server form set directories.
ISA Server Form Sets
ISA Server 2006 comes with preconfigured form sets that reside in the following folders:
- ISA. Includes all the HTML forms that may be required for forms-based authentication, as specified in the Web listener or ISA Server Web publishing rule.
- Exchange. Includes all the HTML forms that may be required for Microsoft Exchange Web client access forms-based authentication.
ISA Server 2006 supports three classes of HTML forms, organized into form sets:
- HTML. Intended for standard browsers.
- cHTML. Intended for browsers that support cHTML, such as i-mode mobile devices.
- XHTML-Mobile Profile (XHTML-MP). Intended for browsers that support xhtml-mp, such as Microsoft Windows Mobile® and other mobile devices.
ISA Server determines the type of form to provide based on the User-Agent header provided by the mobile client.
Each form set includes all the HTML forms that clients may need for forms-based authentication, such as a logon form, logoff form, and SecurID forms. By default, when you create a new Web listener with HTML forms-based authentication as the selected authentication method, a form set is selected automatically. Depending on the authentication validation method specified for the Web listener, ISA Server presents one of the following types of logon forms:
- Password form. The user enters a user name and password on the form. This is the type of credentials needed for the Active Directory® directory service, Lightweight Directory Access Protocol (LDAP), and Remote Authentication Dial-In User Service (RADIUS) credential validation.
- Passcode form. The user enters a user name and passcode on the form. This is the type of credentials needed for SecurID and RADIUS one-time password validation.
- Passcode/Password form. The user enters a user name and passcode, and a user name and password. The user name and passcode are used for authentication to ISA Server using SecurID or RADIUS one-time password authentication methods, and the user name and password are used for delegation. This form is used when the administrator chooses to collect additional credentials in the form.
After creating the Web listener and the Web publishing rule, you can specify that a different form set should be used. In addition, the HTML form properties of a Web publishing rule can override the form set of its Web listener. A form set is determined either by the:
- Form set specified in the Web listener.
- Form set specified in the Web publishing rule.
For details about creating form sets, see Creating Custom Form Sets.
Form Set Directories
The installation directory of ISA Server 2006 contains a directory called CookieAuthTemplates, which contains the ISA and Exchange forms directories that are included with ISA Server. The immediate subdirectory of these directories contains the various types of form sets. The following listing outlines the layout of the forms directories. (Three dots represent the same layout as the previous entry at the same level.)
Each form set directory includes the entire set of HTML forms (.htm files). When ISA Server displays an HTML form, it replaces placeholders in the .htm files with the strings in the strings.txt file corresponding to the language settings of the user's browser, located in the language folder of the languages (nls) directory.
When a Web publishing or a Microsoft SharePoint® publishing rule is created, a form set from the ISA directory is automatically used.
When a Web client mail access publishing rule is created using the New Exchange Publishing Rule Wizard, the Exchange HTML form set is automatically selected for that rule. The Exchange folder only contains the HTML form set. To use either the cHTML or XHTML form sets for Exchange Web client access, you will need to create the directories Exchange\cHTML or Exchange\xHTML, and then copy the contents of Exchange\HTML to these directories.
Note that to use the Exchange Publishing Rule Wizard, in the console tree of ISA Server Management, click Firewall Policy, then on the Tasks tab, click Publish Exchange Web Client Access.
The language directory, nls, includes a single subdirectory with a strings.txt file for each supported language. When ISA Server displays an HTML form, it replaces the placeholders in the .htm files with the strings in the strings.txt file of the language matching the Accept-Language header sent by the client's browser.
When ISA Server cannot match the Accept-Language header sent by the client's browser, ISA Server uses the strings.txt file in the default form set directory. Note this strings.txt is the English language version of the file.
Form set directory permissions
When ISA Server is installed, the permissions on the forms directories are automatically set. These permissions should never be changed:
- Full control. Applied to members of the local Administrators group.
- Read only. Applied to the Network Service account so that ISA Server can read the content of this directory while running under the Network Service account.
To preserve the inheritance of permissions from the parent folder, we recommend that files be copied to the form set directory, rather than moved to the directory.
Customizing Form Sets
In some cases, you may want to provide a different look for the forms of some published Web sites. Each such look is defined by a form set. You can either modify an existing form set, or create your own custom form set.
The following sections describe:
- Customizing Text Strings
- Using Custom Graphics
- Creating Custom Form Sets
Note the following:
- When customizing the forms, you must keep all of the original form fields and all of the placeholders that ISA Server replaces with hidden fields. All input tags <input …> and form tags <form…> must remain unchanged in the .htm files, or the forms will not work. Also, you cannot change the format of the strings.txt file.
- The Exchange and ISA folders are overwritten during upgrade. If you customize the HTML forms, be sure to make a backup of the updated files before applying any hotfix, service pack, or upgrade.
- If you are running ISA Server Enterprise Edition, any changes made to the ISA Server form sets should be made on each ISA Server array member.
- For the changes to take effect, you must restart the Firewall service.
- Note that all the files found in forms customization directory can be accessed by anonymous users. Therefore, these files should not contain any sensitive information.
Customizing Text Strings
When ISA Server displays an HTML form, it replaces the placeholders in the .htm files with the strings in the strings.txt file of the language specified in the language settings of the client's browser, or as specified in the Web listener. Text string customization is done by modifying the strings in the strings.txt file that correspond to the placeholders in the .htm files.
Note the following:
- Before customizing the content of the strings.txt file, we recommend that you make a backup of the strings.txt file that you are modifying.
- Any strings that you modify or add must be properly encoded to comply with HTML syntax. The "<" character cannot be included in the string and should be replaced with
<. In addition, to include a quotation mark, the single quotation mark must be used instead of the double quotation mark.
The following example describes how you would change the text string for the user name input in the standard logon page from "Domain\user name:" to "Alias:".
To change the text for the user name input in the standard logon page
Open the strings.txt file in the appropriate language folder in the nls directory.
Find the string matching the placeholder @@L_username_ text. The string appears in the strings.txt file as: L_UserName_Text="Domain\User name:".
Change the text string to L_UserName_Text="Alias:".
Save the strings.txt file. When the HTML form is generated, the new value of @@L_username_text will be displayed in the form.
Restart the Microsoft Firewall service for changes to take effect.
In addition to modifying text strings, you can add new strings to a form. The following example shows how you would add a string to a form.
To add a string to a form
Open the .htm file
Add a placeholder for the string and save the file. The placeholder must be in the format of @@L_stringname. The placeholder cannot contain spaces.
Save the .htm file.
Add the corresponding string to the strings.txt file. The string must be written in the format L_stringname="string text".
Save the strings.txt file.
Restart the Firewall service for changes to take effect. When the HTML form is generated, the value of @@L_stringname will be displayed in the form.
If you provide the strings.txt file to a third party for modification, validate that non-text additions have not been made to the file, because these may provide a means of attack on your networks.
Using Custom Graphics
You can either replace a graphic in a specific form or replace a graphic globally in all the forms so that the change appears in all .htm files that refer to that graphic.
The graphics that ISA Server uses in the HTML forms are all located in default forms directories (ISA and Exchange). The URL used to reference graphics is written as follows, where <filename> is the name of the file including extension: /cookieauth.dll?GetPic?formdir=%FORMDIR%&image=<filename>.
The following example describes how you would replace the logo graphic <lgntop.gif> with your own company logo <logo.gif>. In this example, you are modifying a form in the HTML directory.
To replace the logo graphic
Copy logo.gif to the ISA HTML form set directory.
Open the .htm file that includes the graphic you are replacing.
Modify the URL for the graphic, replacing the existing file name <lgntop.gif>. The modified URL is: /cookieauth.dll?GetPic?formdir=%FORMDIR%&image=logo.gif.
Save the file.
Restart the Firewall service for changes to take effect. When the form is generated, logo.gif will display in the form.
Alternately, to replace a graphic globally in all the forms, copy your graphic to the forms directory using the file name of the graphic you are replacing.
Creating Custom Form Sets
You can specify a different directory for forms other than the default ISA or Exchange directories provided by ISA Server 2006. This allows you to provide custom forms other than those provided by ISA Server.
For example, consider a scenario where you are publishing Web client access for two different companies and would like each company to have their own logo in the page, as well as other custom text strings. You would perform the following procedure.
To provide custom forms
Create a new folder in the \CookieAuthTemplates\ directory. For example, \ISA Server Installation Directory\CookieAuthTemplates\Company1.
Copy the contents of the ISA or Exchange folders into the new folder that you just created. If you only have standard browsers, you only need to copy the HTML folder.
Customize the form in the copied directory. Make any text changes to the strings.txt file in the appropriate language folder, or replace any graphics files. Do not change any of the HTML form elements, such as <FORM> and <INPUT>.
Restart the Firewall service for the changes to take effect.
To apply the new form set to a Web listener, provide the directory name on the Forms tab of the Web listener. Provide only the name of the directory, such as Company1, and not its full path. Alternately, to apply the new form set to a Web publishing rule, in the Application Settings tab of the rule, enable the Use customized HTML forms check box and provide the directory name.
To ensure that the forms are displayed only in a specific language, in the Forms tab of the Web listener, under Display the HTML form in this language, select the language. For example, to ensure that a form is displayed in English only, regardless of the client browser setting, you select English [en].
Repeat the procedure for the second company (Company2).
Click Apply in the Apply Changes bar to update the configuration.
Note that if you are running ISA Server Enterprise Edition, the forms directory must appear on all ISA Server array members.
By default, ISA Server builds the HTML forms using the strings.txt file from the language folder specified in the Languages option of Internet options of the client's browser. You can override the client language setting by specifying a language in the Web listener. In addition, if ISA Server does not locate the strings.txt file corresponding to the language settings, it uses the default strings.txt file.
Note that the language of the strings.txt file in the default directory is English. You can change the language of the default strings.txt file by replacing it with the strings.txt file from any one of the language folders.