Authorization Rules Does Not Take Effect With IIS Webgate when IIS is configured as reverse proxy (Doc ID 2113638.1)

Last updated on OCTOBER 26, 2023

Applies to:

Symptoms

Customer  have an application that is protected by an IIS 7.5 webgate (2008 64-bit) and  able to access the resource even though  user is included in a  deny authorization policy. As per webgate and OAM log user is shown as Denied

Webgate logs shows user is denied

2016/02/08@08:07:51.240000      5040    4840    WEB     DEBUG3  0x00000201      ..\src\iis_filt_info.cpp:690    "SetHeader"     Header^OBUSERDENIEDURL: Value^/webgate /webgate.dll?status%3D500%20errmsg%3DErrAuthzDeny%20p2%3D%2F  bResult^1

However the IIS is still serving the page.

Issue was duplicated IIS 8.5 on Windows 2012 Server too.

Changes

 IIS is configured as reverse proxy

<DIR>\inetpub\wwwroot\web.xml

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="ReverseProxyInboundRule1" enabled="true" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://<HOST>:<PORT>/{R:1}" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
    <system.web>
        <identity impersonate="false" />
    </system.web>
    <location path="" overrideMode="Allow">
        <system.webServer>
            <handlers accessPolicy="Read, Execute, Script">
                <add name="OracleWebGateExtension" path="*" verb="*" modules="IsapiModule" scriptProcessor="<WG_INSTALL_DIR>\webgate\iis\lib\webgate.dll" resourceType="Unspecified" requireAccess="None" />
            </handlers>
        </system.webServer>
    </location>
</configuration>

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.