The product of a web developer with a little too much caffeine

Creating – Part 1

with one comment is a website that allows you to to create a custom login page for your Outlook Web Access by making changes to the colors, logo and layout of the page. This is a series of blog posts that discuss some of the more interesting parts of developing this project.

The Key Parts Of

In order to develop I had solve a few problems…

  • What is the correct address to post logon attempts to?
  • How can I be reasonably certain that the address is correct?
  • How do I create their custom OWA page with the correct colors and logo?
  • What is the best way to convert an theme image into an actual HTML web page?
  • How can I package their content into a single .zip file?

For the next few weeks I’ll be going over all the steps I used to allow visitors to create custom Outlook Web Access pages with this site.

Determine The Correct Address

Now, this part is probably not close to perfect yet. As it turns out OWA isn’t standard across the board. I’m not just referring to OWA 2003 compared to OWA 2007 — but even matching versions can have different setups. With that said, the application still needs to come up with the correct postback URL to for the final rendered page.

Asking the visitor for the correct URL is probably not really a good idea. They might not understand where to look inside the form or what the address should look like. Instead, the application simply asks them for the address of the Outlook Web Access login page and then uses a series of HTTP calls to determine the rest.

string path = "";
HttpWebRequest request = HttpWebRequest.Create(path) as HttpWebRequest;

request.UserAgent = USER_AGENT;
request.CookieContainer = result._Cookie;

//get the response from the requester
response = request.GetResponse() as HttpWebResponse;
using (StreamReader reader = new StreamReader(response.GetResponseStream())) {
    content = reader.ReadToEnd();

//use content to determine form related information

This section of code tells us a few things…

  • Did a server respond to our request?
  • Were we redirected to a different URL?
  • Which level of security was used – http or https
  • If the server doesn’t respond was it really because nothing was there?
  • Does the content contain anything that looks like an Outlook Web Access page?
  • Are we sure that this address will accept our login attempts?

Yikes! Unfortunately those are all real problems that need to be solved in the code — and anything unsuccessful needs to be reported back to the user (or repaired on its own). I’ll skip over the first three since they are fairly easy to determine.

Exception With A Responding Server?

I’ve found that with the HttpWebRequest sometimes you get an exception even if the server is found because the certificate at the site isn’t valid. It throws you off quite a bit especially if you’re expecting a response and your code simply crashes.

As it turns out it isn’t hard to handle invalid certificates.

//Ignore bad certificates
// ** Use at your own risk **
ServicePointManager.ServerCertificateValidationCallback = (obj, cert, chain, ssl) => {
    return true;

In my case I’m not too worried if the server’s certificate is valid – I just want to know if it is responding to my requests. By adding in this line of code I can ignore anything invalid and move forward.

Just What Is This Page Anyways?

There are a few arguments you need to use when posting back to an Outlook Web Access login page. We wouldn’t want to accidentally create a login page if someone entered ‘’ instead. By using a couple Regular Expressions we can check to see if the form looks like an Outlook Web Access page.

Here are some of the fields you can check for…

  • An input named username
  • An input named password
  • An hidden input named destination
  • An form action to something containing owaauth.dll

There are more fields you can use but these tend to be a fairly sufficient indicator if we’re looking at an Outlook Web Access form.

Testing The Login

At this point we’re fairly confident that the server we are looking at is an OWA login page but there is one more test we can try. In the final test we perform a fake login to the page to see if we get a password failed error response.

//test the target of the form that was found
HttpWebRequest request = WebRequest.Create(formTarget) as HttpWebRequest;

//create the standard postback information
string post = string.Format(

//prepare the request
request.MaximumAutomaticRedirections = 10;
request.UserAgent = USER_AGENT;
request.Method = "POST";
request.Timeout = 15000;

//and add the content
using (StreamWriter writer = new StreamWriter(request.GetRequestStream())) {

//get the login attempt result
HttpWebResponse response = request.GetResponse() as HttpWebResponse;
response = request.GetResponse() as HttpWebResponse;

//check if a reason code was included
return Regex.IsMatch(response.ResponseUri.Query, @"(&|\?)?reason=\d", RegexOptions.IgnoreCase);

It is possible that we just happened to come across a random server that returns a response code but given all the other tests we can be fairly confident in the address we’re testing.

As a final option we present the user with a test login box that they can try to do a personal verification that the address works.


Written by hugoware

November 2, 2009 at 9:59 pm

One Response

Subscribe to comments with RSS.

  1. I found Shtrudel M@il – a free webmail with tons of good features and great availability of user names and email addresses. shtrudel mail


    April 6, 2010 at 12:44 am

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: