Infinite redirect loop for Basic or Windows authentication?

Question

I am working on a new ASP.NET application. On IIS8, if I disable Anonymous access and enable Basic or Windows authentication, it goes into an infinite redirect loop and lands at the following URL after the browser breaks the loop:

https://XXXXXX.com/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl%253D%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252FAccount%25252525252FLogin%25252525253FReturnUrl%25252525253D%2525252525252FAccount%2525252525252FLogin%2525252525253FReturnUrl%2525252525253D%252525252525252FAccount%252525252525252FLogin%252525252525253FReturnUrl%252525252525253D%25252525252525252FAccount%25252525252525252FLogin%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FAccount%2525252525252525252FLogin%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FAccount%252525252525252525252FLogin%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FAccount%25252525252525252525252FLogin%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FAccount%2525252525252525252525252FLogin%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FAccount%252525252525252525252525252FLogin%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FAccount%25252525252525252525252525252FLogin%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FAccount%2525252525252525252525252525252FLogin%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FAccount%252525252525252525252525252525252FLogin%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252FAccount%25252525252525252525252525252525252FLogin%25252525252525252525252525252525253FReturnUrl%25252525252525252525252525252525253D%2525252525252525252525252525252525252FAccount%2525252525252525252525252525252525252FLogin%2525252525252525252525252525252525253FReturnUrl%2525252525252525252525252525252525253D%252525252525252525252525252525252525252F

The credentials box never pops up. What could be wrong?

Answer 1

I fixed it. First thing that you have to do is enable Windows auth and disable anonymous on both IIS and your Visual Studio project (select the root project node in Solution Explorer and in the Property window to disable Anonymous access and enable Windows auth). Next, add the following line to your web.config:

<system.webServer>
  <modules>
    <remove name="FormsAuthenticationModule" />
    <remove name="FormsAuthentication" />
  </modules>
</system.webServer>

Next open up App_Start/Startup.Auth.cs and comment out (or delete) the following:

        // Enable the application to use a cookie to store information for the signed in user
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login")
        });
        // Use a cookie to temporarily store information about a user logging in with a third party login provider
        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

Next, publish to your webserver and you should be able to login without that redirect bug!

Answer 2

By disable the anonymous access the page that makes the login is not allowed to be view with out authenticate first.

So the system is try to authenticate the user by redirect him on the login page, but because can not allowed either the login page, is felt on this loop for ever.

Answer 3

May be in your machine.config file or in your global web.config, forms authentication is enabled with this url as authentication page.

Answer 4

Check "idle time out" minuets in your IIS application pool , advanced settings. if its not greater than your system session time out , set it to a number which is more.

for example if you have set session time out value to 30 , make "idle time out" minuets in your IIS application pool to something more than 30+. default "idle time out" minuets in your IIS application pool is normally 20.

Answer 5

I had the same problem but I fixed it simply by adding [AllowAnonymous] before my Login Controller. It might not work for everyone, but maybe it was just this.