Share via


IE, ADFS, and Overkill

I do some testing that requires I not use Active Directory Federation Services (ADFS), which is an otherwise-convenient way to authenticate me against web sites via my Active Directory token.  I used to start IE in Private Mode to do that, but it still sometimes-but-not-always redirects me to where I don’t want to go.  Using IE in Private Mode made for difficult COM automation.

If I was sensible, I’d go to Internet Options | Security | Local intranet | Custom level | User Authentication (at the bottom of the scroll box) | Prompt for user name and password.

I’m not sensible.  I have to use COM automation on IE, which already proves that.  So, being that I’m not sensible, I went looking in the registry.

Disclaimer: the registry is not a public interface.  What I’m posting here is for me to find in a year’s time, when I am scouring my brain for how I did something oh-so-long-ago.  This is not a recommended or even a sane way to disable auto-log on.

 <#
.synopsis
Enable and disable ADFS (Active Directory Federation Services in Internet Explorer
.link
        https://support.software.dell.com/desktop-authority/kb/118560
        Logon setting (1A00) may have any one of the following values (hexadecimal): 
        Int Value      Setting
        --- -----      -------
        0 0x00000 Automatically logon with current username and password
        65536 0x10000 Prompt for user name and password
        131072 0x20000 Automatic logon only in the Intranet zone
        196608 0x30000 Anonymous logon
        ===
        Get-ItemProperty  'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\*' | 
        Select-Object -Property PSchildName, DisplayName, 1A00 | 
        Format-Table -AutoSize
        PSChildName DisplayName        1A00
        ----------- -----------        ----
        0           Computer              0
        1           Local intranet   131072
        2           Trusted sites    131072
        3           Internet         131072
        4           Restricted sites  65536
        ===
        Get-ItemProperty  'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\*' | 
        Select-Object -Property PSchildName, DisplayName, 1A00 | 
        Format-Table -AutoSize
        PSChildName DisplayName      1A00  
        ----------- -----------      ----  
        0           Computer               
        1           Local intranet   65536 
        2           Trusted sites    131072
        3           Internet         131072
        4           Restricted sites 65536 
    
#>
#region functions
<#
.synopsis
Disable ADFS (Active Directory Federation Services in Internet Explorer
.link
https://support.software.dell.com/desktop-authority/kb/118560
#>
function Get-InternetExplorerLogonSettings
{
                param (
        [ValidateSet(
                'HKCU',
                'HKLM'
        )]
        [string[]]$Scope = @(
                'HKCU',
                'HKLM'
        ),
        [ValidateSet(
                'Computer',
                'Local_intranet',
                'Trusted_sites', 
                'Internet', 
                'Restricted_sites'
        )]
        [string[]]$Zone = @(
                'Computer',
                'Local_intranet',
                'Trusted_sites', 
                'Internet', 
                'Restricted_sites'
        ),
        [switch]$ShowPSPath
    )
    $myZone = $Zone -replace '_', ' '
                foreach ($regKeyScope in $Scope)
    {
        Get-ItemProperty "${regKeyScope}:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\*" | 
                ForEach-Object {
            $outputObject = New-Object -TypeName psobject |
            Select-Object -Property Scope, Zone, Setting
            $outputObject.Scope   = $regKeyScope.ToUpper()
            $outputObject.Zone    = $_.DisplayName
            $outputObject.Setting = $Global:__IeLogonSettingsMap.([int]($_.'1A00'))
                if ($ShowPSPath)
            {
                Add-Member -InputObject $outputObject -MemberType NoteProperty -Name PSPath -Value $_.PSPath
            }
            $outputObject
        
        } | 
        Where-Object { 
            $myZone -contains $_.Zone 
        }
    }
}
<#
.synopsis
Set 
#>
function Set-InternetExplorerLogonSettings
{
                param (
        [ValidateSet(
                'HKCU',
                'HKLM'
        )]
        [string]$Scope = 'HKCU',
        [Parameter(Mandatory=$true)]
        [ValidateSet(
                'Computer',
                'Local_intranet',
                'Trusted_sites', 
                'Internet', 
                'Restricted_sites'
        )]
        [string]$Zone,
        [Parameter(Mandatory=$true)]
        [ValidateSet(
                'Anonymous_logon',                                      # 196608
                'Automatic_logon_only_in_Intranet_zone',                # 131072
                'Automatic_logon_with_current_user_name_and_password',  # 0
                'Prompt_for_user_name_and_password'                     # 65536
        )]
        [string]$Setting
    )
    $mySetting = $Setting -replace '_', ' '
    $currentData = Get-InternetExplorerLogonSettings -Scope $Scope -Zone $Zone -ShowPSPath
                if ($currentData.Setting -eq $mySetting)
    {
                return (
            $currentData | 
            Select-Object -Property Scope, Zone, Setting
        )
    }
    $mySettingAsInt = $__IeLogonSettingsMap.$mySetting
    Set-ItemProperty -Path $currentData.PSPath -Name '1A00' -Value $mySettingAsInt
    ($currentData = Get-InternetExplorerLogonSettings -Scope $Scope -Zone $Zone)
                if ($currentData.Setting -ne $mySetting)
    {
        Write-Warning "Unable to set ADFS setting in '$zone' zone for $scope scope to '$mySetting'.  It remains at '$($currentData.Setting)'."
    }
} #>
<#
.synopsis
Enable ADFS (Active Directory Federation Services in Internet Explorer
#>
function Enable-InternetExplorerAdfs
{
    Set-InternetExplorerLogonSettings -Scope HKCU -Zone Local_intranet -Setting Automatic_logon_only_in_Intranet_zone
} #>
<#
.synopsis
Disable ADFS (Active Directory Federation Services in Internet Explorer
#>
function Disable-InternetExplorerAdfs
{
    Set-InternetExplorerAdfsSetting -Scope HKCU -Zone Local_intranet -Setting Prompt_for_user_name_and_password
} #>
#endregion
#region initialization
# create mapping hashtable
if (!(Test-Path -Path Variable:__IeLogonSettingsMap))
{
    Set-Variable -Scope Global -Option ReadOnly -Name __IeLogonSettingsMap -Value @{
                'Anonymous logon'                                      = 196608
                'Automatic logon only in Intranet zone'                = 131072
                'Automatic logon with current user name and password'  = 0
                'Prompt for user name and password'                    = 65536
        196608 = 'Anonymous logon'
        131072 = 'Automatic logon only in Intranet zone'
        0 = 'Automatic logon with current user name and password'
        65536 = 'Prompt for user name and password'
    }
}
# warn if user and computer settings are different
$currentSetting = Get-InternetExplorerLogonSettings
$hkcuData = $currentSetting |
Where-Object {
    $_.Scope -eq 'HKCU'
} 
$hkcuData | 
ForEach-Object {
    $zone    = $_.Zone
    $hklmData = $currentSetting |
    Where-Object {
        $_.Scope -eq 'HKLM' -and
        $_.Zone  -eq $zone
    }
                if ( $hklmData.Setting -ne $_.Setting )
    {
        Write-Warning -Message "ADFS setting in '$zone' zone for HKCU scope is '$($_.Setting)', but for HKLM scope is '$($hklmData.Setting)'."
    }
}
Export-ModuleMember -Function * -Variable __IeLogonSettingsMap
#endregion