Customizing the mobile device xHTML FBA page to allow password change

In this article I want to provide a quick guide, about how to modify the xHTML F(orm) B(ased) A(uthentication) page the client will receive, when it is connecting to a site published with FBA through ISA server 2006 using a mobile Client, e.g. running Windows Mobile.

Every time a client connects to the ISA server FBA site ISA server will check the HTTP Header Field “User-Agent”. Based on the information in this header ISA server will decide which HTLM form it will deliver to the client.

This behavior can be controlled by the FPCUserAgentMapping COM object, as described in the MSDN.

With this setting we want to provide the best experience for the client based on the device you use to connect to the published server.

If you’re using the Password Change Feature in your environment, you may have recognized that the password change option is not available when you connect using a mobile device by default. This is intentionally left out, as this feature is not implemented into the xHTML Form ISA delivers to the mobile device.

With ISA server 2006 we are providing the opportunity to officially customize the FBA HTML pages as described here. Providing this opportunity you can not only customize the Form to include your company logo and change the message strings you will see on the FBA page, but you can also modify the HTML code of each page.

In this article I want to provide an example on how to modify your xHTML Form to enable the Password Change Feature, e.g. for a scenario when you connect to your published Exchange OWA using a mobile device.

Important: Please be aware, that Microsoft won’t provide support if something isn’t working with the customized HTML Forms you created, including the steps described in this article. Please be aware, that Microsoft will ask you to ‘roll-back’ to the standard forms provided with ISA server for the case you need to open a service request with Microsoft. Customizing HTML Forms is a supported configuration, but Microsoft can’t support the customization itself.

Before you actually start to modify any files, you should create a new folder in the ISA installation directory CookieAuthTemplates Folder

image

And name it e.g. mycustom. Now copy the xHTML folder from the ISA directory to your new folder.

Important: You’ll have to create the same folder with the same content on all Array Nodes if you’re running ISA 2006 Enterprise Edition.

Any changes made in this folder will only be applied when you restart the ISA Firewall services. If you want to use this custom form in the ISA configuration, you’ll have to restart the Firewall services first. However at this point this wouldn’t make any real sense, as we didn’t modify anything yet J

In the xHTML directory we can see the different files send by ISA to the client based on the configuration applied in ISA. To achieve our goal to enable the password change, we need to modify the user_pwd.htm.

Please open the file in a text editor and search for the lines:

 

<img src="/CookieAuth.dll?GetPic?formdir=@@FORMDIR&image=mslogo.gif" alt=""/>

<br />

In the body part of the code. 

And insert the following lines:

<p>

<label for="chpwd">@@L_RequestPwdChange_Text</label><br />

<input id="chpwd" name="chpwd" type="checkbox" class="rdo" onclick="clkChpwd()" />

</p>

Save the file. If you open the file in a browser it should look like this:

image

When the checkbox is ticked, it will call the clkChpwd() Method, which triggers that the password change page will be send to the client.

After you saved the file, make sure to copy the directory to all array members if you’re running the Enterprise Edition and restart the firewall service on all array nodes.

In order to use this custom html form you got two choices:

1. Configure the setting directly on the listener being used for the publishing rule:

Open the listener properties and select the ‘Forms’ tab. Tick ‘Use customized HTML forms instead of default’. Enter ‘mycustom’ in the text field and tick ‘Allow users to change their passwords’:

image

2. Configure the setting in the publishing rule:

Open the publishing rule and select the ‘Application Settings’ Tab. Tick the checkbox and add ‘mycustom’ to the text field:

image

Don’t forget to enable the Allow users to change their passwords in the listener properties in any case.

Please be aware, that all clients which don’t match the user agent to which ISA server will deliver the xHTML files you will see the standard pages configured in the ISA CookieAuthTemplates folder.

Feel free to copy and modify the HTML and cHTML folder from the ISA or Exchange folder to your mycustom folder, to create a customized experience for your users.

Happy customizing :)

 

Author

Philipp Sand

Microsoft CSS Forefront Security Edge Team

Technical Reviewer

Thomas Detzner

Microsoft CSS Forefront Security Edge Team