Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.
While working at a customer site the other day I was reminded of an article by Eric Lawrence on why you sometimes start seeing endless pop-up windows asking for credentials when using Fiddler to decrypt HTTPS traffic during troubleshooting.
In short; If the web server has Extended Protection for Authentication enabled then it detects that the Channel Binding Token Fiddler is presenting to it doesn't match the one created by the original user during the session so it invalidates the credentials and requests authentication again (which loops endlessly).
The solution; Fiddle around with Fiddler internally and add the site you're having problems with specifically as a site that Fiddler is allowed to authenticate to on your behalf and add credentials to authenticate with against that site to the Fiddler config file (See Eric's MSDN article for details).
Fiddler and Channel Binding Tokens Revisitedhttp://blogs.msdn.com/b/fiddler/archive/2011/09/04/fiddler-http-401-authentication-workaround-to-support-channel-binding-tokens-removing-endless-prompts.aspx
Extended Protection for Authentication - Microsoft Security Advisory (973811)http://technet.microsoft.com/en-us/security/advisory/973811