IE, ADFS, and Overkill
I do some testing that requires I not use Active Directory Federation Services (ADFS), which is an otherwise-convenient way to authenticate me against web sites via my Active Directory token. I used to start IE in Private Mode to do that, but it still sometimes-but-not-always redirects me to where I don’t want to go. Using IE in Private Mode made for difficult COM automation.
If I was sensible, I’d go to Internet Options | Security | Local intranet | Custom level | User Authentication (at the bottom of the scroll box) | Prompt for user name and password.
I’m not sensible. I have to use COM automation on IE, which already proves that. So, being that I’m not sensible, I went looking in the registry.
Disclaimer: the registry is not a public interface. What I’m posting here is for me to find in a year’s time, when I am scouring my brain for how I did something oh-so-long-ago. This is not a recommended or even a sane way to disable auto-log on.
<#
.synopsis
Enable and disable ADFS (Active Directory Federation Services in Internet Explorer
.link
https://support.software.dell.com/desktop-authority/kb/118560
Logon setting (1A00) may have any one of the following values (hexadecimal):
Int Value Setting
--- ----- -------
0 0x00000 Automatically logon with current username and password
65536 0x10000 Prompt for user name and password
131072 0x20000 Automatic logon only in the Intranet zone
196608 0x30000 Anonymous logon
===
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\*' |
Select-Object -Property PSchildName, DisplayName, 1A00 |
Format-Table -AutoSize
PSChildName DisplayName 1A00
----------- ----------- ----
0 Computer 0
1 Local intranet 131072
2 Trusted sites 131072
3 Internet 131072
4 Restricted sites 65536
===
Get-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\*' |
Select-Object -Property PSchildName, DisplayName, 1A00 |
Format-Table -AutoSize
PSChildName DisplayName 1A00
----------- ----------- ----
0 Computer
1 Local intranet 65536
2 Trusted sites 131072
3 Internet 131072
4 Restricted sites 65536
#>
#region functions
<#
.synopsis
Disable ADFS (Active Directory Federation Services in Internet Explorer
.link
https://support.software.dell.com/desktop-authority/kb/118560
#>
function Get-InternetExplorerLogonSettings
{
param (
[ValidateSet(
'HKCU',
'HKLM'
)]
[string[]]$Scope = @(
'HKCU',
'HKLM'
),
[ValidateSet(
'Computer',
'Local_intranet',
'Trusted_sites',
'Internet',
'Restricted_sites'
)]
[string[]]$Zone = @(
'Computer',
'Local_intranet',
'Trusted_sites',
'Internet',
'Restricted_sites'
),
[switch]$ShowPSPath
)
$myZone = $Zone -replace '_', ' '
foreach ($regKeyScope in $Scope)
{
Get-ItemProperty "${regKeyScope}:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\*" |
ForEach-Object {
$outputObject = New-Object -TypeName psobject |
Select-Object -Property Scope, Zone, Setting
$outputObject.Scope = $regKeyScope.ToUpper()
$outputObject.Zone = $_.DisplayName
$outputObject.Setting = $Global:__IeLogonSettingsMap.([int]($_.'1A00'))
if ($ShowPSPath)
{
Add-Member -InputObject $outputObject -MemberType NoteProperty -Name PSPath -Value $_.PSPath
}
$outputObject
} |
Where-Object {
$myZone -contains $_.Zone
}
}
}
<#
.synopsis
Set
#>
function Set-InternetExplorerLogonSettings
{
param (
[ValidateSet(
'HKCU',
'HKLM'
)]
[string]$Scope = 'HKCU',
[Parameter(Mandatory=$true)]
[ValidateSet(
'Computer',
'Local_intranet',
'Trusted_sites',
'Internet',
'Restricted_sites'
)]
[string]$Zone,
[Parameter(Mandatory=$true)]
[ValidateSet(
'Anonymous_logon', # 196608
'Automatic_logon_only_in_Intranet_zone', # 131072
'Automatic_logon_with_current_user_name_and_password', # 0
'Prompt_for_user_name_and_password' # 65536
)]
[string]$Setting
)
$mySetting = $Setting -replace '_', ' '
$currentData = Get-InternetExplorerLogonSettings -Scope $Scope -Zone $Zone -ShowPSPath
if ($currentData.Setting -eq $mySetting)
{
return (
$currentData |
Select-Object -Property Scope, Zone, Setting
)
}
$mySettingAsInt = $__IeLogonSettingsMap.$mySetting
Set-ItemProperty -Path $currentData.PSPath -Name '1A00' -Value $mySettingAsInt
($currentData = Get-InternetExplorerLogonSettings -Scope $Scope -Zone $Zone)
if ($currentData.Setting -ne $mySetting)
{
Write-Warning "Unable to set ADFS setting in '$zone' zone for $scope scope to '$mySetting'. It remains at '$($currentData.Setting)'."
}
} #>
<#
.synopsis
Enable ADFS (Active Directory Federation Services in Internet Explorer
#>
function Enable-InternetExplorerAdfs
{
Set-InternetExplorerLogonSettings -Scope HKCU -Zone Local_intranet -Setting Automatic_logon_only_in_Intranet_zone
} #>
<#
.synopsis
Disable ADFS (Active Directory Federation Services in Internet Explorer
#>
function Disable-InternetExplorerAdfs
{
Set-InternetExplorerAdfsSetting -Scope HKCU -Zone Local_intranet -Setting Prompt_for_user_name_and_password
} #>
#endregion
#region initialization
# create mapping hashtable
if (!(Test-Path -Path Variable:__IeLogonSettingsMap))
{
Set-Variable -Scope Global -Option ReadOnly -Name __IeLogonSettingsMap -Value @{
'Anonymous logon' = 196608
'Automatic logon only in Intranet zone' = 131072
'Automatic logon with current user name and password' = 0
'Prompt for user name and password' = 65536
196608 = 'Anonymous logon'
131072 = 'Automatic logon only in Intranet zone'
0 = 'Automatic logon with current user name and password'
65536 = 'Prompt for user name and password'
}
}
# warn if user and computer settings are different
$currentSetting = Get-InternetExplorerLogonSettings
$hkcuData = $currentSetting |
Where-Object {
$_.Scope -eq 'HKCU'
}
$hkcuData |
ForEach-Object {
$zone = $_.Zone
$hklmData = $currentSetting |
Where-Object {
$_.Scope -eq 'HKLM' -and
$_.Zone -eq $zone
}
if ( $hklmData.Setting -ne $_.Setting )
{
Write-Warning -Message "ADFS setting in '$zone' zone for HKCU scope is '$($_.Setting)', but for HKLM scope is '$($hklmData.Setting)'."
}
}
Export-ModuleMember -Function * -Variable __IeLogonSettingsMap
#endregion