Known issues and limitations

Known issues

  • Windows 10: There is still some issues regarding the interaction with Windows 10 Credential Provider. It is however unclear if the problems are related to Windows 10 or Net iD Enterprise and therefore we will wait for upcoming patches from Microsoft before any deeper investigations of the problems are done. Examples:

    • CredentialProvider → InitChangePin fails in mstsc for Windows 10.

    • Report unlock does not work in Windows 10 since it asks for LOGON credentials instead of doing an UNLOCK.

  • Windows Install: "iidsetup.exe -install -silent" shall not be used since uninstall fails, use only "iidsetup.exe /q".

  • Windows: The Credential Provider cannot present correct info when mapping a network drive.

  • OS X: when enrolling a second soft token it replaces the first soft token in the keychain access application. Workaround: drag’n’drop the first token from /Users/'user'/Library/Keychains/ to the keychain access application.

Known limitations

  • Net iD Enterprise Full Credential Provider (CP):

    • Windows authentication dialog in Internet Explorer fails to present smart card credential when using Full CP. This is due to an undocumented feature in Microsoft Windows environment and will be reported to Microsoft for further investigation.

    • Microsoft smart card removal service cannot be used with Full CP. Use the Net iD Enterprise card removal functionality instead.

    • Workstation unlock may be experienced as slow when using Full CP, due to multiple key operations on the smart card before the desktop is presented. This is mostly experienced when using older and slower smart cards.

  • Support for Gemalto IDPrime Instant IP10 and Gemalto IDPrime SIS EID IP1 with Dual Interface: The support for contactless communication is limitied to usage of the card. Personalization, i.e. key generation and import of new certificates, has to be done via the contact interface.

  • For Gemalto IDPrime Instant IP10 and Gemalto IDPrime SIS EID IP1 only 2048 bits key length are supported for RSA keys. The card have support for 1024 bits RSA keys but can’t handle a mix of 1024 and 2048 bits keys. To avoid getting corrupt cards and since the common recommendation is not to use 1024 keys any longer, only RSA keys with 2048 bits will be supported for the cards.

  • Support for NPAPI plugins has been removed or will be removed from many of the popular web browsers. When the NPAPI support is removed from a web browser SecMaker will not be able to support the use of plugins for that web browser. The following are the status regarding NPAPI for some of the web browsers:

    • Google Chrome: the NPAPI support has been permanently removed since version 45.

    • Mozilla Firefox: it is still possible for the user to enable the NPAPI plugins via active manual actions in the the browser dialogs but the NPAPI support will be completely removed by the end of 2016 according to Mozilla. The 64-bit Firefox for Windows will not include support for NPAPI.

    • for Safari there is no news from Apple but since the trend is to remove the NPAPI support, for security reasons, it is probable that Apple will decide to remove the NPAPI support as well.

    • Microsoft dropped the ActiveX-plugin support with the release of Microsoft Edge. Microsoft Internet Explorer however still supports ActiveX-plugins.

  • Mozilla Firefox: Ended support for automatic installation of Net iD Enterprise PKCS#11 module in Firefox on OS X for security reasons in v6.1. The old behaviour was comparable with the behaviour of a trojan which is not acceptable. A manual workaround to load the PKCS#11 library via nss-modutil is available from SecMaker.

If you are dependent of the NPAPI for your applications please contact SecMaker.