Infinite redirect loop for Basic or Windows authentication?

Question

I am working on a new ASP.NET application. On IIS8, if I disable Anonymous access and enable Basic or Windows authentication, it goes into an infinite redirect loop and lands at the following URL after the browser breaks the loop:

https://XXXXXX.com/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl%253D%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252FAccount%25252525252FLogin%25252525253FReturnUrl%25252525253D%2525252525252FAccount%2525252525252FLogin%2525252525253FReturnUrl%2525252525253D%252525252525252FAccount%252525252525252FLogin%252525252525253FReturnUrl%252525252525253D%25252525252525252FAccount%25252525252525252FLogin%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FAccount%2525252525252525252FLogin%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FAccount%252525252525252525252FLogin%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FAccount%25252525252525252525252FLogin%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FAccount%2525252525252525252525252FLogin%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FAccount%252525252525252525252525252FLogin%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FAccount%25252525252525252525252525252FLogin%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FAccount%2525252525252525252525252525252FLogin%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FAccount%252525252525252525252525252525252FLogin%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252FAccount%25252525252525252525252525252525252FLogin%25252525252525252525252525252525253FReturnUrl%25252525252525252525252525252525253D%2525252525252525252525252525252525252FAccount%2525252525252525252525252525252525252FLogin%2525252525252525252525252525252525253FReturnUrl%2525252525252525252525252525252525253D%252525252525252525252525252525252525252F

The credentials box never pops up. What could be wrong?

score 20 · Accepted Answer · answered Apr 14 '14 at 19:21

20

I fixed it. First thing that you have to do is enable Windows auth and disable anonymous on both IIS and your Visual Studio project (select the root project node in Solution Explorer and in the Property window to disable Anonymous access and enable Windows auth). Next, add the following line to your web.config:

<system.webServer>
  <modules>
    <remove name="FormsAuthenticationModule" />
    <remove name="FormsAuthentication" />
  </modules>
</system.webServer>

Next open up App_Start/Startup.Auth.cs and comment out (or delete) the following:

        // Enable the application to use a cookie to store information for the signed in user
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login")
        });
        // Use a cookie to temporarily store information about a user logging in with a third party login provider
        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

Next, publish to your webserver and you should be able to login without that redirect bug!

answered Apr 14 '14 at 19:21

arao6

3,316
5
30
51

Hi, Thanks for this. Is there a way i can use cookie AND windows authentication? Basically i need to add additional claims using OWIN. But when Windows auth is enabled, it doesnt seem to allow adding claims. – Yashvit Aug 09 '14 at 06:16
I had the same question before. Unfortunately, it does not seem to be possible. See http://stackoverflow.com/questions/1796798/mixing-windows-and-forms-authentication-in-asp-net-mvc – arao6 Aug 09 '14 at 22:09
1

Guess I should have started with an MVC project with Windows authentication. When creating a new MVC project in VS2013, you can change the authentication method to use. If you select Windows authentication, it won't even create the Startup.Auth.cs file. – comecme Oct 30 '15 at 19:40
Wow, this problem sucked hours out of my life. Any idea why the modules act that way if they're not used - but not removed? – Paul Dec 31 '15 at 00:54
1

@Paul Take a look at [this question](http://stackoverflow.com/questions/875472/authenticaterequest-event) to get an idea of the order at which modules are handled in the pipeline and then take a look at the [FormsAuthentication code](http://referencesource.microsoft.com/#System.Web/Security/FormsAuthenticationModule.cs). My guess (rather pure assumption) is that by disabling cookie-based auth in your app, the forms module will always fail to authenticate the user. This is why you need to explicitly remove the modules. – arao6 Jan 07 '16 at 05:19

score 4 · Answer 2 · answered Apr 14 '14 at 17:00

4

By disable the anonymous access the page that makes the login is not allowed to be view with out authenticate first.

So the system is try to authenticate the user by redirect him on the login page, but because can not allowed either the login page, is felt on this loop for ever.

answered Apr 14 '14 at 17:00

Aristos

66,005
16
114
150

Thanks. How would I change it so that a 401 challenge pops up? – arao6 Apr 14 '14 at 17:21
@arao6 On the web.config, there is the default page that redirect to, first of all remove that setting. – Aristos Apr 14 '14 at 17:50

score 0 · Answer 3 · answered Apr 14 '14 at 17:00

0

May be in your machine.config file or in your global web.config, forms authentication is enabled with this url as authentication page.

answered Apr 14 '14 at 17:00

DadyFuji

243
1
12

Thanks. Forms auth was removed by default in web.config `` – arao6 Apr 14 '14 at 17:20

score 0 · Answer 4 · answered Dec 17 '15 at 13:36

Check "idle time out" minuets in your IIS application pool , advanced settings. if its not greater than your system session time out , set it to a number which is more.

for example if you have set session time out value to 30 , make "idle time out" minuets in your IIS application pool to something more than 30+. default "idle time out" minuets in your IIS application pool is normally 20.

rolhai123 · Answer 5 · 2018-01-04T00:20:20.490

0

I had the same problem but I fixed it simply by adding [AllowAnonymous] before my Login Controller. It might not work for everyone, but maybe it was just this.

edited Jan 04 '18 at 00:20

answered Jan 04 '18 at 00:08

rolhai123

59
2
6

Infinite redirect loop for Basic or Windows authentication?

5 Answers5

Linked