My Oracle Support Banner

Authorization Rules Does Not Take Effect With IIS Webgate when IIS is configured as reverse proxy (Doc ID 2113638.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Access Manager - Version and later
Information in this document applies to any platform.


Customer  have an application that is protected by an IIS 7.5 webgate (2008 64-bit) and  able to access the resource even though  user is included in a  deny authorization policy. As per webgate and OAM log user is shown as Denied


Webgate logs shows user is denied

2016/02/08@08:07:51.240000      5040    4840    WEB     DEBUG3  0x00000201      ..\src\iis_filt_info.cpp:690    "SetHeader"     Header^OBUSERDENIEDURL: Value^/webgate/webgate.dll?status%253D500%2520errmsg%253DErrAuthzDeny%2520p2%253D%252F  bResult^1

However the IIS is still serving the page.

Issue was duplicated IIS 8.5 on Windows 2012 Server too.


 IIS is configured as reverse proxy


C:\inetpub\wwwroot\web.xml  (internal LAB)

<?xml version="1.0" encoding="UTF-8"?>
                <rule name="ReverseProxyInboundRule1" enabled="true" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="{R:1}" />
        <identity impersonate="false" />
    <location path="" overrideMode="Allow">
            <handlers accessPolicy="Read, Execute, Script">
                <add name="OracleWebGateExtension" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\oracle\product\11.1.1\as_1\webgate\iis\lib\webgate.dll" resourceType="Unspecified" requireAccess="None" />



To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process and therefore has not been subject to an independent technical review.
My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.