My Oracle Support Banner

Authorization Rules Does Not Take Effect With IIS Webgate when IIS is configured as reverse proxy (Doc ID 2113638.1)

Last updated on OCTOBER 26, 2023

Applies to:

Oracle Access Manager - Version and later
Information in this document applies to any platform.


Customer  have an application that is protected by an IIS 7.5 webgate (2008 64-bit) and  able to access the resource even though  user is included in a  deny authorization policy. As per webgate and OAM log user is shown as Denied

Webgate logs shows user is denied

2016/02/08@08:07:51.240000      5040    4840    WEB     DEBUG3  0x00000201      ..\src\iis_filt_info.cpp:690    "SetHeader"     Header^OBUSERDENIEDURL: Value^/webgate /webgate.dll?status%3D500%20errmsg%3DErrAuthzDeny%20p2%3D%2F  bResult^1

However the IIS is still serving the page.

Issue was duplicated IIS 8.5 on Windows 2012 Server too.


 IIS is configured as reverse proxy


<?xml version="1.0" encoding="UTF-8"?>
                <rule name="ReverseProxyInboundRule1" enabled="true" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://<HOST>:<PORT>/{R:1}" />
        <identity impersonate="false" />
    <location path="" overrideMode="Allow">
            <handlers accessPolicy="Read, Execute, Script">
                <add name="OracleWebGateExtension" path="*" verb="*" modules="IsapiModule" scriptProcessor="<WG_INSTALL_DIR>\webgate\iis\lib\webgate.dll" resourceType="Unspecified" requireAccess="None" />


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.