Support

Since you've set "Redirect non-www to www" it stands to reason that you MUST visit your site's back-end using the www address. In fact your server should automatically forward you to the www domain name with this option enabled. If this doesn't happen you have misconfigured Joomla!: edit your configuration.php and change $live_site to point to the www address e.g.

public $live_site = 'http://www.example.com';

No. You must contact your host immediately! Based on your description of what is going on what happens is NOT standard Apache behavior and a security hole. Please note that the following analysis is based on the assumption that you are right that the .htaccess in the administrator directory "shadows" the .htaccess in the site's root. It's best to ask your host for verification.

The .htaccess files are meant to cascade. This means that if you have a .htaccess file in both the site's root AND the administrator directory Apache is supposed to 1. read and parse the .htaccess file from the site's root 2. read and parse the .htaccess file from the administrator directory 3. merge the parsed results 4. apply the merged rules. What happened on your site is that the .htaccess in the administrator directory shadowed the one in the site's root. This is non-standard and a massive security hole.

Why a security hole? The .htaccess file generated by .htaccess Maker is written to the site's root so it can apply to all subdirectories. On your server, which does NOT work properly, an attacker could exploit a direct file write vulnerability to write a .htaccess file inside a directory that is normally not accessed over the web, e.g. administrator/components/com_messages/tables. Then they could upload a hacking script, such as C99, into that directory. Since the .htaccess file in that directory has overridden the master .htaccess file in the site's root the attacker can access the hacking script despite the Front-end Protection you enabled in .htaccess Maker, therefore bypassing this very important protection for your site. So you end up being unprotected, as if you never had used the .htaccess Maker. That's really bad and I can't understand why any host would choose to break their hosting platform like that!

Is there anything I can do to get the URL rewritten before the authentication window appears? I'm quite sure I'm using Apache 2.2 so as far as I know the .htaccess rules of the subfolder will ALWAYS be processed first and after that the root htaccess rules will be processed...

That's not accurate. Both are read and parsed BUT the most specific .htaccess (in the administrator directory) gets precedence. This means that if both files contain the same directive with different values the value in the most specific file (administrator/.htaccess) "wins". There is no such thing as "executes first" and "executes last".

For this reason, as long as you have HTTP Basic Authentication set up in the administrator directory this is the first thing Apache will check. It's actually very simple why: you are telling Apache to not serve the request unless it's given the correct HTTP BA header. Browsers cache HTTP BA credentials per protocol, domain, port and directory. First and second URLs differ by domain so it makes sense that you are asked twice. Second and third URLs differ by protocol so it makes sense that you are asked a third time. That's how it's supposed to work.

Simple solution: access https://www.ruhepotential.de/administrator instead of ruhepotential.de/administrator.