Issue:
After setting up Session Assurance, we are testing if the feature works by accessing first from a browser to the protected resource to generate the user session, and then from a different browser we replay the session. We are seeing the user is being able to access to the resource, when it is expected to be challenged for credentials again.
Cause:
By default, the DeviceDNA Refresh Interval is set to 300 seconds, which specifies the amount of time the DeviceDNA associated with a user is valid. Only user without a valid DeviceDNA are redirected to the Endpoint where the server obtains current DeviceDNA for the user. If the Endpoint has the DeviceDNa refresh interval set to 300 seconds, and the time between both access requests is lower than this, the server checks via Session Assurance to check the session validity.
Environment:
Policy Server 12.52SP2 on windows 2012 R2
CA Access Gateway 12.52SP1CR05 on Windows 2008 R2
Resolution:
You may change the DeviceDNA Refresh Interval value to a lower value to adjust it to your needs as follows: Access your AdminUI, and go to: Policies > Global > Session Assurance Endpoints, and for your defined Endpoint modify the DeviceDNA Refresh Interval value.
When testing the feature, ensure between both access requests the time is higher than the current DeviceDNA Refresh Interval
Additional Information:
How to Configure Session Assurance with DeviceDNA
KD: TEC1392984