I created a new ASP.NET MVC 5 application with default access control provided by Visual Studio 2013 and Owin Middleware.

I enabled basic authentication on IIS (disabling all the others authentications) to protect the site from people that don't have the user/password that I created on Windows. It result in a "redirect loop” in the browser.

Any ideas why? How can I protect a web site without change the code?

By default in file Startup.Auth.cs, there will be something like this:

 app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Main/Account/Login"),
                CookieName = "OwinAuthCookie",
            });

When you enable Basic Authentication in IIS, here is what happens:

1. IIS Basic Authentication module sees that there is no Authentication header, so it returns a HTTP 401 Response.
2. The response is not returned immediatly, but is processed by Owin.
3. Owin sees the request got 401 (Unauthorized) Response, so it redirects to the configured LoginPath.
4. Your browser processes the redirect, tries to open the new URL and we are back to point 1. And theres's the loop.

What you can do is comment out the LoginPath property in the above code. This should stop the redirect loop, but also can (but don't have to, depending on your implementation) break authentication for application users.

What I eventually ended up with was implementing a small Owin middleware and doing Basic Authentication myself.

These links could be helpful:

• Writing an OWIN Authentication Middleware
• Basic Authentication with ASP.NET Web API Using OWIN Middleware
• Thinktecture.IdentityModel on GitHub