First, the Invisible Textbox is a "less effective" way of doing Captcha and is a setting in the Telerik Captcha. You can read more about it below or on the demo page. Also, it appears the Invisible Textbox isn't working correctly but is being fixed in the next release and available now as a hotfix.
Finally, I'm not totally clear on this but I believe just using Captcha SessionMode (once it's fixed) will not work for me since my load balancer is using non-persistence (aka, each request could go to a different server). Unless maybe storing Session in SQL is the answer??? I'm following up w/ Telerik on this one.
Here is the response to my questions from Telerik (I hope they don't mind that I'm posting this...)
In reference to your questions:
- The new property of the RadCaptcha, ImageStorageLocation, when set to Session stores the Image in the Session. If the Session in the web farm environment is persisted and shared among all of the servers the RadCaptcha will work without a problem and the image will be rendered correctly.
- The InvisibleTextBox mode will not have any problems if the website is hosted in a web farm environment. All it does is, load a TextBox with "display:none" and if the TextBox is filled the RadCaptcha recognizes the user as a bot.
- The Captcha ProtectionMode is more secure compared to the InvisibleTextBox mode, because there is possibility that the bot is configured to avoid the fields which have display:none. On the other hand there is no computer which can recognize the characters rendered on the image.
"Regarding my problem getting Invisible Textbox to work. The actual invisible textbox is not rendering"... This is a known problem when InvisibleTextBox mode is chosen for spam protection. It is already fixed and will be available for the next official release of the RadControls for ASP.NET AJAX. Until then you can download the latest internal build where the issue does not exist.
Hope that helps,