Authorization Rules Does Not Take Effect With IIS Webgate when IIS is configured as reverse proxy

(Doc ID 2113638.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Access Manager - Version and later
Information in this document applies to any platform.


Customer  have an application that is protected by an IIS 7.5 webgate (2008 64-bit) and  able to access the resource even though  user is included in a  deny authorization policy. As per webgate and OAM log user is shown as Denied


Webgate logs shows user is denied

2016/02/08@08:07:51.240000      5040    4840    WEB     DEBUG3  0x00000201      ..\src\iis_filt_info.cpp:690    "SetHeader"     Header^OBUSERDENIEDURL: Value^/webgate/webgate.dll?status%253D500%2520errmsg%253DErrAuthzDeny%2520p2%253D%252F  bResult^1

However the IIS is still serving the page.

Issue was duplicated IIS 8.5 on Windows 2012 Server too.


 IIS is configured as reverse proxy


C:\inetpub\wwwroot\web.xml  (internal LAB)

<?xml version="1.0" encoding="UTF-8"?>
                <rule name="ReverseProxyInboundRule1" enabled="true" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="{R:1}" />
        <identity impersonate="false" />
    <location path="" overrideMode="Allow">
            <handlers accessPolicy="Read, Execute, Script">
                <add name="OracleWebGateExtension" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\oracle\product\11.1.1\as_1\webgate\iis\lib\webgate.dll" resourceType="Unspecified" requireAccess="None" />



Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms