I'm using MVC5 in some IIS servers on Amazon EC2, behind a Amazon Elastic Load Balancer. IIS servers runs only HTTP protocol, and ELB converts to HTTPS.

IIS server doesn't know if user is accessing thru HTTPS, so I have a rewrite rule checking "X-Forwarded-Proto" header to redirect user to HTTPS.

Unfortunately, when a login is required, MVC/IIS redirects user to a logon page in HTTP.

If I check my website in a tool like http://www.redirect-checker.org/ I get these type of results:

http://example.com/

301 Moved Permanently (my URL rewrite rule)

https://example.com/

302 Found (Login-required redirect -> why to HTTP?)

http://example.com/Account/Logon?ReturnUrl=%2F

301 Moved Permanently (again my URL rewrite rule)

https://example.com/Account/Logon?ReturnUrl=%2F

200 OK

Am I missing something?

Can I configure login-redirect to keep protocol, eliminating one of these redirects?

Better yet, can I somehow precede login-redirect rule and make it force HTTPS, in order to have only one redirect?

Thanks a lot!

Appendix: I checked that commands like "RedirectToAction" send address like "/Index2", not the whole "http://example.com/Index2". This is fine, so it keeps the user protocol.

Assuming you're using ASP.NET forms authentication, have a look in your web.config for your Authentication configuration and add requireSsl="true" to the <forms> element, as below:

<authentication mode="Forms">
      <forms loginUrl="~/Account/LogOn" timeout="2880" requireSSL="true" />
</authentication>