Known issues and limitations

Known issues

  • Windows WiFi and VPN: Due to a context handling issue in Windows the built in WiFi and VPN fails to connect intermittent. The PC must then be restarted to reset the context and be able to use the built in Windows Wifi and VPN again.

  • Windows 10: There is still some issues regarding the interaction with Windows 10 Credential Provider. It is however unclear if the problems are related to Windows 10 or Net iD Enterprise and therefore we will wait for upcoming patches from Microsoft before any deeper investigations of the problems are done. Examples:

    • CredentialProvider → InitChangePin fails in mstsc for Windows 10.

    • Report unlock does not work in Windows 10 since it asks for LOGON credentials instead of doing an UNLOCK.

    • Windows 10 v1703 → Pass-through Credential Provider cannot detect card remove event, use Full Credential Provider instead.

  • Using Net iD Certificate Provider with Net iD Minidriver [1], Microsoft "Smartcard Credential Provider" interferes with certificate reading which results in an unsuccessful SSL/TLS login in Internet Explorer. Solution [2] is to disable only the 32-bit Microsoft "Smartcard Credential Provider" since 64-bit is used with pre-authentication login.

  • Net iD Enterprise Full CP (Credential Provider) on Windows client OS’s:

    • When using Full CP the card reader is locked by Microsoft Smart Card Credential Provider which causes longer logon and unlock time. We recommend to exclude Microsoft Smart Card Credential Provider in Group Policy when using Full CP.

  • Windows Install: "iidsetup.exe -install -silent" shall not be used since uninstall fails, use only iidsetup.exe /q.

  • Windows: The Credential Provider cannot present correct info when mapping a network drive.

  • OS X/macOS: when enrolling a second soft token it replaces the first soft token in the keychain access application. Workaround: drag and drop the first token from /Users/'user'/Library/Keychains/ to the keychain access application.

Known limitations

  • ECC (Elliptic-Curve Cryptography) supported for test only.

  • macOS uninstall:

    • In the new NiE GUI v2 uninsatll is not included. Uninstall is made by entering the following command in macOS terminal: /etc/iid/>sudo ./uninstall

  • PIN pad card reader support, limitations to consider due to the way PIN pads behave:

    • After the PIN has been entered on the PIN pad and been verified by the card, the card reader will always be locked to the process that required the PIN. No other processes will be able to get access to the card reader until released.

    • Applications needs to be aware of PIN pad behaviors and handle it in an appropriate way, for instance avoiding to log out if not necessary to reduce the number of times the PIN has to be entered by the user.

    • PIN pad generelly will not work well when trying to use it with multiple applications, since todays applications seldom logs out at all.

    • Net iD Enterprise includes a special feature (only supported in Windows) to map all applications using the pkcs11 plugin against the same process, i.e. a behaviour like SSO and multiple processes will be able to communicate with the PIN pad.

      • limitation #1: only one kind of processes can access the PIN pad at the time, i.e. either 32-bits or 64-bits applications.

      • limitation #2: due to Windows behaviour it’s for exemple not permitted to change between user and system desktop. This for instanse prevents usage of SSO when being logged in to Windows with credentials from the same card.

    • It is essential to check if every application to be used supports PIN pad.

  • Net iD Enterprise Full CP (Credential Provider):

    • Windows authentication dialog in Internet Explorer fails to present smart card credential when using Full CP. This is due to an undocumented feature in Microsoft Windows environment and will be reported to Microsoft for further investigation.

    • Microsoft smart card removal service cannot be used with Full CP. Use the Net iD Enterprise card removal functionality instead.

    • Workstation unlock may be experienced as slow when using Full CP, due to multiple key operations on the smart card before the desktop is presented. This is mostly experienced when using older and slower smart cards.

  • Support for Gemalto IDPrime Instant IP10 and Gemalto IDPrime SIS EID IP1 with Dual Interface: The support for contactless communication is limitied to usage of the card. Personalization, i.e. key generation and import of new certificates, has to be done via the contact interface.

  • For Gemalto IDPrime Instant IP10 and Gemalto IDPrime SIS EID IP1 only 2048 bits key length are supported for RSA keys. The card have support for 1024 bits RSA keys but can’t handle a mix of 1024 and 2048 bits keys. To avoid getting corrupt cards and since the common recommendation is not to use 1024 keys any longer, only RSA keys with 2048 bits will be supported for the cards.

  • Support for NPAPI plugins has been removed from many of the popular web browsers. When the NPAPI support is removed from a web browser SecMaker will not be able to support the use of plugins for that web browser. The following are the status regarding NPAPI for some of the web browsers:

    • Google Chrome: the NPAPI support has been permanently removed since version 45.

    • Mozilla Firefox: Only the ESR versions of Firefox supports the use of plugins, for Windows plugins are only supported in the 32-bit ESR version.

    • for Safari there is no news from Apple but since the trend is to remove the NPAPI support, for security reasons, it is probable that Apple will decide to remove the NPAPI support as well.

    • Microsoft dropped the ActiveX-plugin support with the release of Microsoft Edge. Microsoft Internet Explorer however still supports ActiveX-plugins.

  • Mozilla Firefox: Ended support for automatic installation of Net iD Enterprise PKCS#11 module in Firefox on OS X for security reasons in v6.1. The old behaviour was comparable with the behaviour of a trojan which is not acceptable. A manual workaround to load the PKCS#11 library via nss-modutil is available from SecMaker.

If you are dependent of the NPAPI for your applications please contact SecMaker.

1. Net iD Minidriver is commonly used only in TS environments.
2. To disable 32-bit Microsoft Smartcard Credential Provider open the Registry Editor: 1. Navigate to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers 2. Right click on the CLSID of the provider, select New → DWORD (32-bit) Value, enter the value name to "Disabled", and modify the value data to "1".