Infinite redirect loop for Basic or Windows authentication?

Asked 14/4, 2014 at 16:36 Answered 4/1, 2018 at 0:8

Solved asp.net windows-server-2012 iis-8

I am working on a new ASP.NET application. On IIS8, if I disable Anonymous access and enable Basic or Windows authentication, it goes into an infinite redirect loop and lands at the following URL after the browser breaks the loop:

https://XXXXXX.com/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl%253D%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252FAccount%25252525252FLogin%25252525253FReturnUrl%25252525253D%2525252525252FAccount%2525252525252FLogin%2525252525253FReturnUrl%2525252525253D%252525252525252FAccount%252525252525252FLogin%252525252525253FReturnUrl%252525252525253D%25252525252525252FAccount%25252525252525252FLogin%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FAccount%2525252525252525252FLogin%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FAccount%252525252525252525252FLogin%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FAccount%25252525252525252525252FLogin%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FAccount%2525252525252525252525252FLogin%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FAccount%252525252525252525252525252FLogin%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FAccount%25252525252525252525252525252FLogin%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FAccount%2525252525252525252525252525252FLogin%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FAccount%252525252525252525252525252525252FLogin%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252FAccount%25252525252525252525252525252525252FLogin%25252525252525252525252525252525253FReturnUrl%25252525252525252525252525252525253D%2525252525252525252525252525252525252FAccount%2525252525252525252525252525252525252FLogin%2525252525252525252525252525252525253FReturnUrl%2525252525252525252525252525252525253D%252525252525252525252525252525252525252F

The credentials box never pops up. What could be wrong?

Hamel answered 14/4, 2014 at 16:36 Comment(0)

I fixed it. First thing that you have to do is enable Windows auth and disable anonymous on both IIS and your Visual Studio project (select the root project node in Solution Explorer and in the Property window to disable Anonymous access and enable Windows auth). Next, add the following line to your web.config:

<system.webServer>
  <modules>
    <remove name="FormsAuthenticationModule" />
    <remove name="FormsAuthentication" />
  </modules>
</system.webServer>

Next open up App_Start/Startup.Auth.cs and comment out (or delete) the following:

        // Enable the application to use a cookie to store information for the signed in user
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login")
        });
        // Use a cookie to temporarily store information about a user logging in with a third party login provider
        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

Next, publish to your webserver and you should be able to login without that redirect bug!

Hamel answered 14/4, 2014 at 19:21 Comment(5)

Hi, Thanks for this. Is there a way i can use cookie AND windows authentication? Basically i need to add additional claims using OWIN. But when Windows auth is enabled, it doesnt seem to allow adding claims. – Amaleta 9/8, 2014 at 6:16

I had the same question before. Unfortunately, it does not seem to be possible. See #1797298 – Hamel 9/8, 2014 at 22:9

Guess I should have started with an MVC project with Windows authentication. When creating a new MVC project in VS2013, you can change the authentication method to use. If you select Windows authentication, it won't even create the Startup.Auth.cs file. – Kella 30/10, 2015 at 19:40

Wow, this problem sucked hours out of my life. Any idea why the modules act that way if they're not used - but not removed? – Rubefaction 31/12, 2015 at 0:54

@Rubefaction Take a look at this question to get an idea of the order at which modules are handled in the pipeline and then take a look at the FormsAuthentication code. My guess (rather pure assumption) is that by disabling cookie-based auth in your app, the forms module will always fail to authenticate the user. This is why you need to explicitly remove the modules. – Hamel 7/1, 2016 at 5:19

By disable the anonymous access the page that makes the login is not allowed to be view with out authenticate first.

So the system is try to authenticate the user by redirect him on the login page, but because can not allowed either the login page, is felt on this loop for ever.

Funiculate answered 14/4, 2014 at 17:0 Comment(2)

Thanks. How would I change it so that a 401 challenge pops up? – Hamel 14/4, 2014 at 17:21

@Hamel On the web.config, there is the default page that redirect to, first of all remove that setting. – Funiculate 14/4, 2014 at 17:50

May be in your machine.config file or in your global web.config, forms authentication is enabled with this url as authentication page.

Rashida answered 14/4, 2014 at 17:0 Comment(1)

Thanks. Forms auth was removed by default in web.config <remove name="FormsAuthenticationModule" /> – Hamel 14/4, 2014 at 17:20

Check "idle time out" minuets in your IIS application pool , advanced settings. if its not greater than your system session time out , set it to a number which is more.

for example if you have set session time out value to 30 , make "idle time out" minuets in your IIS application pool to something more than 30+. default "idle time out" minuets in your IIS application pool is normally 20.

Terefah answered 17/12, 2015 at 13:36 Comment(0)

I had the same problem but I fixed it simply by adding [AllowAnonymous] before my Login Controller. It might not work for everyone, but maybe it was just this.

Commissary answered 4/1, 2018 at 0:8 Comment(0)

Recommended topics

Hot tags