Multiple entries in GlobalSecureAccess forwarding profile

BostjanR 40 Reputation points
2024-06-09T19:15:13.02+00:00

Entra Private Access Enterprise Application was added to the GSA (Preview). Access worked OK. The Application was then deleted and recreated a few days later with identical Network Access / Application segments.

When trying to access the application, multilpe Entra ID logon screens are displayed and login is not possible. Error mesage stated that the client is trying to login to nonexisting application or wrong tenant.

When examining GCA client forwarting profile (json), two entries are present for the same app segment, only the second one has an audienceScope enty that points to the correct id for application.

How to reset the forwarding profile or remove the duplicate entries so that only "existing" app segments will remain?

Microsoft Entra Private Access
Microsoft Entra Private Access
Microsoft Entra Private Access provides secure and deep identity-aware, Zero Trust network access to all private apps and resources.
53 questions
0 comments
Accepted answer
  1. Shweta Mathur 29,016 Reputation points Microsoft Employee
    2024-06-12T06:36:12.5066667+00:00

    Hi @BostjanR ,

    Thanks for reaching out.

    It's good to hear that you were able to resolve the issue by editing the registry key for the GSA client forwarding profile.

    Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

    User's image

    Regarding your question about where the GSA client loaded the wrong forwarding profile from after it was reinstalled,

    After initial deletion of application directly from Enterprise blade cannot delete the app immediately and resulted in an orphaned app in the DB. This could have caused the GSA client to load the wrong profile even after it was reinstalled. This is a known issue, and our team is looking into this.

    To prevent this from happening in the future, you can try deleting the forwarding profile when you delete an application. This should ensure that the GSA client loads the correct forwarding profile when the application is reinstalled.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. BostjanR 40 Reputation points
    2024-06-09T20:24:05.7033333+00:00

    If it will help anyone, uninstall/reinstall GSA client didn't solve the issue.

    The problem was resolved by editing registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Global Secure Access Client \ ForwardingProfile

    The key contains forwarding profile in JSON format. I edited the JSON and removed the rules for previous applications that had the wrong "api://" references. After GSA client reload, the GSA advanced diagnostics shows only one entry and access now works as expected.

    I would only like to know from where the GSA client loaded wrong forwarding profile after it was reinstalled. If the "corrupted" profile is on Entra, we have a problem...

    Any internal MS help here that would point us where we could check the profile content in Azure would be appreciated. Thanks.

    0 comments