Known issues and limitations

Known issues

  • macOS Tokend:
    Apple has completely removed support for Tokend with the macOS Big Sur release and the replacement module CryptoTokenKit (CTK) have not been added to Net iD Enterprise. Instead use Net iD Client to continue use of smart cards with Apple applications on macOS. Contact SecMaker support for more information.

  • Windows WiFi and VPN:
    Due to a context handling issue in Windows the built in WiFi and VPN fails to connect intermittent. The PC must then be restarted to reset the context and be able to use the built in Windows Wifi and VPN again.

  • Windows 10:
    There is still some issues regarding the interaction with Windows 10 Credential Provider. It is however unclear if the problems are related to Windows 10 or Net iD Enterprise and therefore we will wait for upcoming patches from Microsoft before any deeper investigations of the problems are done. Examples:

    • CredentialProvider → InitChangePin fails in mstsc for Windows 10.

    • Report unlock does not work in Windows 10 since it asks for LOGON credentials instead of doing an UNLOCK.

  • Using Net iD Certificate Provider with Net iD Minidriver [1], Microsoft "Smartcard Credential Provider" interferes with certificate reading which results in an unsuccessful SSL/TLS login in Internet Explorer. Solution [2] is to disable only the 32-bit Microsoft "Smartcard Credential Provider" since 64-bit is used with pre-authentication login.

  • Windows Install:
    iidsetup.exe -install -silent shall not be used since uninstall fails. Use only iidsetup.exe /q.

  • Windows:
    The Credential Provider cannot present correct info when mapping a network drive.

  • macOS:
    When enrolling a second soft token it replaces the first soft token in the keychain access application. Workaround: drag and drop the first token from /Users/'user'/Library/Keychains/ to the keychain access application.

Known limitations

  • The comma character (,) is not allowed to be used in attributes for Subject DN, Subject AltName, or Issuer DN (for example, Title in Subject DN). Since comma is used as delimiter there are in practice too many possible problems with implementations that cannot separate the use of commas as characters from the use as delimiters.

  • Net iD Virtual smart card for TPM not generally supported, proof-of-concept only.

  • ECC (Elliptic-Curve Cryptography) supported for test only.

  • macOS uninstall:

    • In the new NiE GUI v2 uninstall is not included. Uninstall is made by entering the following command in macOS terminal:

      $ /etc/iid/>sudo ./uninstall
  • All PIN pad card reader support will be handled as customer specific support (no general support) to verify the user environment.
    Limitations to consider due to the way PIN pads behave:

    • After the PIN has been entered on the PIN pad and been verified by the card, the card reader will always be locked to the process that required the PIN. No other processes will be able to get access to the card reader until released.

    • Applications need to be aware of PIN pad behaviors and handle them in an appropriate way, for instance, avoiding to log out if not necessary to reduce the number of times the PIN has to be entered by the user.

    • PIN pad generally will not work well when trying to use it with multiple applications, since todays applications seldom logs out at all.

    • Net iD Enterprise includes a special feature (only supported in Windows) to map all applications using the pkcs11 plugin against the same process, that is, a behavior like SSO and multiple processes will be able to communicate with the PIN pad.

      • limitation #1: only one kind of processes can access the PIN pad at the time, that is, either 32-bits or 64-bits applications.

      • limitation #2: due to Windows behavior, it is for example not permitted to change between user and system desktop. This for instance prevents usage of SSO when being logged in to Windows with credentials from the same card.

    • It is essential to check if every application to be used supports PIN pad.

  • Net iD Enterprise Full CP (Credential Provider):

    • Windows authentication dialog in Internet Explorer fails to present smart card credential when using Full CP. This is due to an undocumented feature in Microsoft Windows environment and will be reported to Microsoft for further investigation.

    • Microsoft smart card removal service cannot be used with Full CP. Use the Net iD Enterprise card removal functionality instead.

  • Support for Thales (Gemalto) IDPrime Instant IP10 and Thales (Gemalto) IDPrime SIS EID IP1 with Dual Interface: The support for contactless communication is limited to usage of the card. Personalization, that is, key generation and import of new certificates, has to be done via the contact interface.

  • For Thales (Gemalto) IDPrime Instant IP10 and Gemalto IDPrime SIS EID IP1 only 2048 bits key length are supported for RSA keys. The card has support for 1024 bits RSA keys but cannot handle a mix of 1024 and 2048 bits keys. To avoid getting corrupt cards, and since the recommendation is not to use 1024 keys, only RSA keys with 2048 bits will be supported for the cards.

1. Net iD Minidriver is commonly used only in TS environments.
2. To disable 32-bit Microsoft Smartcard Credential Provider open the Registry Editor: 1. Navigate to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers 2. Right click on the CLSID of the provider, select New → DWORD (32-bit) Value, enter the value name to "Disabled", and modify the value data to "1".