Owin + DefaultAuthenticationTypes.ApplicationCookie + Windows Authentication

My MVC5.1 app uses OWIN authentication based on http://www.khalidabuhakmeh.com/asp-net-mvc-5-authentication-breakdown

User persistence in db and login confirmation is handled by my custom UserService class. This works great when using separate user accounts to log on to the system.

I also need to make this work with Windows Authentication (Active Directory). So if Windows auth is enabled (in IIS and in my webfile) the AD user will be checked against my DB to see if the logged in user has access to my webapp, and if so, log in (set the app cookie) ...

I enabled Windows Auth in IIS, disabled anonymous auth in IIS and removed <authentication mode="None" />

from my web.config file. This makes OWIN think the user is already authenticated, although I configure it to use ApplicationCookie during startup

app.UseCookieAuthentication(new CookieAuthenticationOptions
 {
  AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
  LoginPath = new PathString("/Account/Login")
 });

      

        
        
        
      

    

Ok, that's ok, I can write a wrapper around the AuthenticationManager.User.Identity.IsAuthenticated property and add a validation check for user authentication to my db. But then I can't add custom claims as OWIN doesn't seem to use the Cookie app, but uses the WindowsClaimsIdentity property directly.

My login function (the one trying to add additional claims) looks like this:

_authenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);

   var identity = new ClaimsIdentity(
      new[] {
              new Claim(ClaimTypes.NameIdentifier, user.UserID.ToString()),
              new Claim(ClaimTypes.Name,  user.UserName),
              new Claim(ClaimTypes.UserData, user.CurrentDomainID.ToString())
            },
      DefaultAuthenticationTypes.ApplicationCookie,
      ClaimTypes.Name,
      ClaimTypes.Role);

_authenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = isPersistent }, identity);

      

        
        
        
      

    

Now if I add a line <authentication mode="None" />

to web.config it looks like it works, i.e. OWIN only looks for claims inside its cookie and does not authenticate the user until the user exists in the DB.

But in both cases I am stuck in a redirect loop on the login page if I don't remove the login path from the system. I tried setting Response.SuppressFormsAuthenticationRedirect = false in my login controller but no change.

Another problem I ran into is it doesn't show me the login page until I enter a valid username / password in the basic auth popup, even though I am logged in with my AD account on Windows. Is there a way to hide this popup?