For basic authentication, the server writes a "401 Unauthorized" header and then looks for an error document based on a pre-defined path. Most of the time, the error document won't exist in the directory that you want to protect, so the request gets handled by the rewrite engine which throws a 404 error.
The solution to this problem is pretty straightforward. You need to add a single line of code to your .htaccess file instructing Apache to ignore the error document. When you're done, the code should look something like this:
ErrorDocument 401 "Unauthorized Access" RewriteEngine off AuthType Basic AuthName "Administration" AuthUserFile "/home/user/admin/.htpasswd" require valid-user
Espero que funcione para você!