Apache .htaccess error: 'not allowed here' on Debian Wheezy

I am trying to configure an apache virtualhost which needs to be password protected in the root directory.

So I created a .htpasswd file (with sha passwords) and configured the .htaccess file. Howevery whatever I do, on the webpage I get an error 500 (internal server error) and in the error.log I see this:

/var/www/ninja/www/.htaccess: deny not allowed here

or if I leave the deny out of the .htaccess:

AuthUserFile not allowed here

Both .htpasswd and .htaccess file are readable for apache and are set to the www-data user and group. I also tried adding these rules to the virtualhost config file but that didn't do the trick either.

Can you please help me out?

Thanks!

config file apache:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName ninja

    DocumentRoot /var/www/ninja/www
    ServerAlias ninja

    <Directory /var/www/ninja/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride FileInfo Indexes
        Order allow,deny
        allow from all
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

htaccess file: (placed in /var/www/ninja/www/)

Deny from all
#Allow from (You may set IP here / to access without password)
AuthUserFile /var/www/ninja/.htpasswd   
AuthName authorization
AuthType Basic
require valid-user

Here is an ls of the mods-enabled directory

alias.conf -> ../mods-available/alias.conf
alias.load -> ../mods-available/alias.load
auth_basic.load -> ../mods-available/auth_basic.load
authn_file.load -> ../mods-available/authn_file.load
authz_default.load -> ../mods-available/authz_default.load
authz_groupfile.load -> ../mods-available/authz_groupfile.load
authz_host.load -> ../mods-available/authz_host.load
authz_user.load -> ../mods-available/authz_user.load
autoindex.conf -> ../mods-available/autoindex.conf
autoindex.load -> ../mods-available/autoindex.load
cgi.load -> ../mods-available/cgi.load
deflate.conf -> ../mods-available/deflate.conf
deflate.load -> ../mods-available/deflate.load
dir.conf -> ../mods-available/dir.conf
dir.load -> ../mods-available/dir.load
env.load -> ../mods-available/env.load
mime.conf -> ../mods-available/mime.conf
mime.load -> ../mods-available/mime.load
negotiation.conf -> ../mods-available/negotiation.conf
negotiation.load -> ../mods-available/negotiation.load
php5.conf -> ../mods-available/php5.conf
php5.load -> ../mods-available/php5.load
reqtimeout.conf -> ../mods-available/reqtimeout.conf
reqtimeout.load -> ../mods-available/reqtimeout.load
setenvif.conf -> ../mods-available/setenvif.conf
setenvif.load -> ../mods-available/setenvif.load
status.conf -> ../mods-available/status.conf
status.load -> ../mods-available/status.load

The Apache Directory directive on /var/www/ninja/www/ only allows modification of the behaviour of FileInfo Indexes by way of the .htaccess file. Refer to the Apache documentation on AllowOverride.

Please modify the AllowOverride to also allow the local configuration of AuthConfig resulting in:

<Directory /var/www/ninja/www/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride FileInfo Indexes Authconfig
</Directory>

Your configuration should add AuthConfig Limit at

AllowOverride FileInfo Indexes

Becomes

AllowOverride FileInfo Indexes AuthConfig Limit