Start a conversation Sign in
Start a conversation
  1. CloudSense Support
  2. CloudSense Articles
  3. Articles

Fixing GAM Login Failure: “Incoming request is rejected due to security reasons” (403 Security Rejection)

Contents

Overview

You may see GAM login/authentication fail with the error message "Incoming request is rejected due to security reasons. Contact your system administrator." (often accompanied by a 403 security rejection). This has been observed on CloudSense package version R36 when Salesforce request signing/certificate configuration changes—particularly the certificate referenced from the csam__AsyncMessOptions__c custom setting.

In the confirmed scenario, clearing the configured csam__Callout_Certificate_Name__c value from csam__AsyncMessOptions__c restored GAM login and allowed incoming messages to resume creation and processing.

Solution

Error Message

"Incoming request is rejected due to security reasons. Contact your system administrator."

Symptoms / Impact

  • GAM login fails and CloudSense cannot complete the integration flow.
  • Incoming messages stop being created/processed.
  • The service may return 403 due to security/signature rejection.

Affected Context

  • Observed in a Production org on CloudSense package version R36.
  • Triggered immediately after Salesforce org/config changes to signing/certificate-related settings.

Why This Happens (Root Cause)

GAM authentication/signing can fail after changes in the Salesforce org to signing configuration/certificates. If the certificate referenced by the signing configuration does not match the public key originally provisioned for the org (for example, due to certificate mismatch, deletion, or rotation), signed requests may be rejected and return a 403. In the confirmed scenario, the configured “Callout Certificate Name” value contributed to the request rejection.

How to Investigate

  1. Confirm the exact error
    • In GAM, capture the exact message: "Incoming request is rejected due to security reasons. Contact your system administrator."
  2. Correlate the outage start time
    • Identify the last successful incoming message timestamp (before failures began).
    • Compare that timestamp against “Last Modified” timestamps of integration/signing-related settings.
  3. Check signing configuration changes
    • Review changes to the custom setting: csam__AsyncMessOptions__c.
    • Pay special attention to signing/callout fields, including: csam__Callout_Certificate_Name__c.
  4. Check certificate state in the org
    • In Salesforce Setup, review Certificate and Key Management.
    • Verify the certificate expected by the integration exists and matches what was originally provisioned (public key alignment).
    • If certificates were deleted or replaced, signing can break and cause a 403 security rejection.

Resolution (Configuration Change That Restored Service)

  1. Open Salesforce Setup in the affected org.
  2. Navigate to the custom setting record: csam__AsyncMessOptions__c.
  3. Locate the field: csam__Callout_Certificate_Name__c (often labeled Callout Certificate Name).
  4. Clear the value (set it to blank / remove the referenced certificate name), then save.
  5. Retry the GAM login/integration flow.

Verification

  • Re-test GAM login; it should succeed without the security rejection.
  • Confirm incoming messages are being created and processed again (integration queue resumes normal movement).
  • If possible, validate with an end-to-end test that pushes a small set of records through the integration.

If the Issue Persists

  • Re-check whether certificates were deleted/rotated and no longer match the originally provisioned public key.
  • Restore the correct certificate if it was removed.
  • If the public key must be updated, initiate a reprovisioning request through your standard CloudSense security provisioning process (avoid ad-hoc certificate rotations without coordinating reprovisioning).

Reference (Tracking)

This scenario may be referenced internally under JIRA <jira_id> for coordination and traceability.

Frequently Asked Questions

1. How do I know this is the same issue?

You see the exact GAM message "Incoming request is rejected due to security reasons. Contact your system administrator." and the outage starts immediately after changes to signing/certificate configuration (often with a 403 security rejection from the service).

2. Which Salesforce setting was changed to fix it?

The value in csam__AsyncMessOptions__c for csam__Callout_Certificate_Name__c was cleared (set to blank). After this change, GAM login worked and incoming message processing resumed.

3. What should I verify after clearing the Callout Certificate Name?

Verify: (1) GAM login succeeds, (2) new incoming messages are created, and (3) messages/processes are completing again (no backlog growth).

4. We use certificate-based authentication in UAT and it works—why would Production fail?

Environments can diverge in certificate inventory and provisioning history. If Production’s configured certificate was changed, deleted, or no longer matches the originally provisioned public key, Production can start rejecting signed requests even if UAT still works.

5. What if clearing csam__Callout_Certificate_Name__c doesn’t resolve it?

Confirm whether the org’s certificates were deleted/rotated and whether the currently installed certificate matches what the integration expects (public key alignment). If a new keypair/certificate must be used, request reprovisioning through CloudSense support/security provisioning so the service trusts the updated public key.

Choose files or drag and drop files
ai_initiated
atlas_studio
kb_automation
Was this article helpful?
Yes
No

  1. Matej Storga

  2. Posted

Comments