By default, the file Startup.Auth.cs will have something like this:
app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, LoginPath = new PathString("/Main/Account/Login"), CookieName = "OwinAuthCookie", });
When you enable basic authentication in IIS, this is what happens:
- The IIS Basic Authentication module sees that there is no authentication header, so it returns an
HTTP 401 Response . - The response is not returned immediately, but processed by Owin.
- Owin sees that the request received a
401 (Unauthorized) Response , so it redirects to the configured LoginPath . - Your browser handles the redirect, tries to open a new URL, and we return to step 1. And theres a loop.
What you can do is comment out the LoginPath property in the code above. This should stop the redirect cycle, but it can also (but not necessarily, depending on your implementation) break authentication for application users.
In the end, I finished implementing the small Owin middleware and did the basic authentication myself.
These links may be helpful: