By default, all Ares installations are set up with standard Ares authentication. This type of authentication allows anyone with access to the Create Account web form (GCreateAccount.html) to register for a new account, choose a username and password, and then use that username and password to immediately log into the Ares web interface. As standard Ares authentication does not verify user information against any external system upon registration or login before creating the user's account, you may experience periods of bot-driven automatic account creation spam wherein bots use the Create Account form to create a large number of accounts in a short period of time.
The release of Ares Server v5.0.9/Web DLL v5.0.6 includes several new options for preventing excessive new user account creation spam on the Create Account form (GCreateAccount.html). This article will detail these options and how to configure them for your Ares installation after updating.
Option 1: Add Captcha Requirement to the Create Account Form
Extra security against spam account creation can be provided by adding a captcha requirement to the Create Account form (GCreateAccount.html). Once added, users will need to solve the captcha requirement to submit the form and create their Ares account, which will prevent bot-driven account creation spam. To add the captcha requirement, Ares must be configured to integrate with one of three supported third-party captcha providers. Once a provider is selected, your institution will need to create an account with that provider and use the account details to configure the captcha integration in the Ares Customization Manager. Ares supports the following third-party captcha providers and plans:
- Google reCAPTCHA: The reCAPTCHA v2 (both the "invisible" and "checkbox" variants) and reCAPTCHA v3 are supported options
Due to a Google bug, HTML5 validation configured on the Create Account form will no longer properly display the tooltips notifying the user of any missing/invalid information that is preventing the submission of the form when using the "invisible" reCAPTCHA v2 variant. Users may also experience a delay before they are allowed to re-submit the form after their first invalid form submission.
- Note that reCAPTCHA Enterprise is not supported by Ares
- hCaptcha: The free "Publisher" plan is supported
- MTCaptcha: The free plan is supported
For complete details on the accessibility features offered by each captcha provider, please see the captcha provider's documentation:
After choosing a captcha provider and plan, the captcha requirement can be added to the Create Account form following the steps below (click each step to view each process in more detail):
- Creating an account with the captcha provider of your choice
- Configuring the captcha customization keys in the Ares Customization Manager
- Updating your web pages to add the new captcha web page files and to update GCreateAccount.html to include the new captcha field
1. Create a Captcha Account
Before a captcha integration can be configured for Ares, you must first create an account with one of the three supported third-party captcha providers. After creating the account, you will use the account information to configure your captcha integration in the Customization Manager. Note that only the free plans offered by each captcha provider are supported by Ares at this time. See each provider's section below for more detailed instructions on how to create your account.
To create a Google reCAPTCHA account:
Visit https://www.google.com/recaptcha/about/ and optionally review the listed features for reCAPTCHA v2 and reCAPTCHA v3 on this page to decide which option to use for your captcha requirement on the user registration form. For more information, see the reCAPTCHA documentation.reCAPTCHA Enterprise is not supported by Ares at this time.
- Click v3 Admin Console at the top of the page when you are ready to create an account. You will be asked to sign-in/create a Google account before beginning the reCAPTCHA sign-up process if you are not already signed in to Google.
- Under Label, enter a label or name to use to identify your account.
- Under reCAPTCHA type, select either the reCAPTCHA v3 or reCAPTCHA v2 option
- If reCAPTCHA v2 is selected, you must then select either the "'I'm not a robot' checkbox" or the "invisible reCAPTCHA badge" variant
- Under Domains, type the domain of the server that hosts your Ares web pages (e.g., https://<your.AresWeb.domain>/)
- Click the plus sign (+) to add the domain
- Agree to the terms and conditions and click Submit to create the account
- Once registration is completed, you will be shown a page containing the Site Key and Secret Key values associated with your new account. Save these values as they will be used to configure the CaptchaSiteId and CaptchaSecret customization keys in the Ares Customization Manager during the next step of the configuration process.
To create an hCaptcha account:
- Visit https://www.hcaptcha.com
- Click the Sign-Up button to begin the account creation process
- Click the Add hCaptcha to your service (free) option
- Follow the prompts to register for a free account
- Once registration is completed, you will be shown a page containing the Sitekey and Secret values associated with your new account. Save these values as they will be used to configure the CaptchaSiteId and CaptchaSecret customization keys in the Ares Customization Manager during the next step of the configuration process.
To create an MTCaptcha account:
- Visit https://www.mtcaptcha.com
- Click the Free Account button to begin the account creation process
- Follow the prompts to register for an account. When prompted for the Domain Name, type the domain of the server that hosts your Ares web pages (e.g., https://<your.AresWeb.domain>/)
- Once registration is completed, you will be shown a page containing the Site Key and Private Key values associated with your new account. Save these values as they will be used to configure the CaptchaSiteId and CaptchaSecret customization keys in the Ares Customization Manager during the next step of the configuration process.
2. Configure Captcha Customization Keys
Once your captcha account is created using one of the providers above, you will then need to use information from the captcha account to configure a series of customization keys in the Ares Customization Manager (all keys are located under Web | Settings):
- CaptchaProvider: Select one of the following options from the dropdown based on the captcha provider and plan you selected:
- CaptchaSecret: Enter the Private Key (MTCaptcha)/Secret Key (reCAPTCHA)/Secret (hCaptcha) value associated with your captcha account.
- CaptchaSiteId: Enter the Site Key value associated with your captcha account.
Next, optionally review and modify the status line text that will appear on the Ares web interface if a user fails the captcha challenge on the user registration form:
- SLCaptchaFailure (located under Web Status Lines | Users)
3. Edit Web Pages
After the new customization keys have been configured, follow the instructions below to update your web pages and add the captcha requirement to GCreateAccount.html:
- Visit the Ares Downloads page and download the latest version of the Ares 5.0 Default Web Pages
- Unzip the downloaded zip file containing the new web page files
- Navigate into the folder containing the new web page files
- Copy the templates subfolder and add this entire folder as a new subfolder within your Ares web directory (in GitHub or at the default location on the Ares server: C:\Ares\Web\WebPages). Note that within the templates folder is a captcha subfolder that contains several important new captcha files. Please ensure that the captcha subfolder and all of these files are copied over to your web directory when adding the templates folder:
Locate and make the following changes to the GCreateAccount.html file in your Ares web directory:
Change this (default line 13):
<form action="ares.dll" method="post"
<form action="ares.dll" method="post"
And change this (default line 170):
<input class="f-submit" type="submit"
name="SubmitButton" value="Create account" />
- Save your changes
- The captcha challenge requirement is now implemented on the Create Account form. View and test the new captcha requirement on the form to ensure the integration has been properly configured.
Option 2: Disable New User Registration for Accounts Using Standard Ares Authentication
User registration can be completely disabled for accounts created through standard Ares authentication (AresAuth) from the Create Account form (GCreateAccount.html) using the AresAuthUserRegistrationEnabled customization key. This option will prevent the creation of spam accounts by completely blocking account creation for users who are not pre-authorized for an Ares account via an LDAP or Remote Authentication configuration.
After disabling user registration for new AresAuth accounts, the Create Account form will still be accessible to users on the web interface. However, when these users attempt to submit the form to register for a new account, the form will not be submitted and the SLUserRegistrationDisabled status line will display to indicate that user registration has been disabled and to contact staff for assistance.
To use the AresAuthUserRegistrationEnabled customization key to disable new user registration for accounts created via standard Ares authentication (AresAuth):
- Open the Ares Customization Manager
- Navigate to the AresAuthUserRegistrationEnabled customization key located under Web | Settings
- Set the value of this key to No
- Click Save to save your changes
- User registration is now disabled for standard Ares accounts created through the Create Account form