I’m authenticated in ‘Enhanced Normal Mode’, yet after locking and unlocking Windows, I’m being asked to re-verify my Spine session with my Smartcard passcode. Why?
This mode has the same behaviour as NHS Digital IA v22.214.171.124 in Normal Mode.
This feature exists for backwards compatibility with previous versions of Identity Agent v2.x. If the user does not want this feature, either turn this off in the registry or simply delete the registry key for this value, the default mode will not exhibit this behaviour. See the Registry settings section in the Admin Guide for further information.
Why do all my browser(s) shut down when I log out?
This is default behaviour, in order to reduce the risk that browsers are incorrectly keeping a Spine application alive even after logging out of Spine.
This behaviour can be configured via the registry (see the ‘Configuration’ section in the Admin Guide, and look for registry key ‘ProcessesToKill’).
NHS Digital IA v126.96.36.199 seems slower to authenticate than with the BT Identity Agents. Can authentication be speeded up?
Whilst NHS Digital IA v188.8.131.52 is faster to authenticate than HSCIC IA v1, it may still seem slower than BT Identity Agents.
The use of Oberthur Smartcards and / or contactless Smartcard readers will significantly increase authentication speed in NHS Digital IA v184.108.40.206.
Meanwhile authentication speed is still being investigated and will be prioritised for resolution in a future release, most likely IA v3.
When I insert my smartcard, the PIN form does not appear.
There is a known issue with Identity Agent v.220.127.116.11 causing this problem on certain operating systems. If you experience this issue, upgrade to Identity Agent v.18.104.22.168.
I have noticed the CPU usage going up and Identity Agent not responding correctly.
There have been issues identified for users with Win8.1 or Win10 on versions of Identity Agent from v.2.2 onwards causing a memory leak. Users having this issue should upgrade to Identity Agent v22.214.171.124.
Why am I getting logged out when using Session Lock mode rather than my machine being locked?
If you are getting logged out when using session lock mode, this can happen under the following circumstance:
- Session Lock mode is enabled
- Windows screen saver is active
- Using Windows 8.1 or later
If all the above are true and the user removes their Smartcard when the screen saver is active, currently the Identity Agent does not correctly swap to the Lock/Logout screen and when the countdown timer expires in the background the machine fails to lock correctly and the user is logged out of Windows
To avoid this occurring, ensure Windows is not displaying the screen saver when your Smartcard is removed.
Users having this issue should upgrade to Identity Agent v126.96.36.199.
Why am I getting logged out randomly during the day when using Normal mode?
A bug was introduced in Identity Agent v188.8.131.52 which did not stop the timer for the “time allowed locked until logged out” when the machine is locked and then unlocked in Normal mode. The default for this timer is 15000s (just over four hours). This can mean the user will get logged out of Spine just over four hours after they first locked their machine.
One work around is to set TimeAllowedLockedUntilLogoffInSeconds = 28500 in the registry which will then give the user just over seven hours from first locking their machine to being logged out
Alternatively, upgrade Identity Agent to v184.108.40.206 to resolve the issue
This issue does not affect any modes other than Normal mode for the affected versions of Identity Agent.
I cannot associate my Series 8 (OT) Smartcard with EMIS
The changes required to resolve the memory leak in IA v220.127.116.11 have caused an issue with how EMIS access the Smartcard which appears to stop the first time Smartcard association from working with Series 8 (OT) Smartcards. EMIS are aware of the issue and are trying to resolve it.
The only current workaround is to perform the first-time association on a version of Identity Agent lower than v18.104.22.168, i.e. use v22.214.171.124. Once the Smartcard has been associated, EMIS works as expected.
NOTE: EMIS have attempted to advise on a fix for this issue to us which comprises the following actions.
Install GEM, install IA, install SR8, and then revert the registry back to the GEM settings.
This fix must not be used as will render any user who implements this unable to perform a self-renew on Series 8 Smartcards and a high risk of damaging the card beyond repair if attempted.
If required, Identity Agent v126.96.36.199 can be downloaded from Identity Agent v188.8.131.52
I cannot associate my NHSD Virtual Smartcard with EMIS
Currently EMIS users cannot perform the initial registration with virtual Smartcards. This issue is under investigation with EMIS.
I am getting a TLS/SSL error when trying to authenticate
This error occurs within Windows and is echoed by the Identity Agent. The usual cause of this error is either the certificates for the platform chosen for authentication are missing, or they have expired.
Either re-install or repair the Identity Agent with both production and test certificates, or if this has been done, update to the latest Path-to-Live (PTL) certificates. These are available from https://digital.nhs.uk/services/path-to-live-environments
I’ve just got a new Windows 10 machine and I’m having multiple issues reading or renewing my Smartcard
With the later builds of Windows 10, by default, the wrong drivers are being installed for the Omnikey 3121 Smartcard reader which can cause a variety of issues from the card being unable to be read to CMS activities failing.
If you experience any of these issues after getting a new machine, check the correct drivers have been installed. Run the CIS diagnostic tool and look at the .txt file on your desktop. The tool is available from http://nww.hscic.gov.uk/dir/downloads. Check if the OmniKey 3121 Smartcard reader driver is shown as a 3021 CCID reader. If it is, download and install the correct drivers, from the link above and re-run the report. The Omnikey 3121 Smartcard reader driver should now have the correct drivers installed.
I am being told my certificates are expired but I have only just renewed my Smartcard
This issue can occur if the trust has a mix of BTIA and machines with Oberthur middleware. When a Smartcard is renewed by BTIA, only the GEM compatibility element is updated. When the Smartcard is subsequently used in a machine with Oberthur middleware, the agile (OT) applet is read. Since this has not been renewed the user will be advised their Smartcard has expired. The Smartcard will need to be repaired by a RA to resolve this issue. A new Smartcard is NOT required. For trusts who operate in this type of mixed environment, it is recommended to renew the Smartcard on a machine with NHS Digital Identity Agent as this will renew both applets on the Smartcard regardless of whether Oberthur middleware is installed or not.
My Spine session seems to be shorter than expected
All versions of NHSD Identity Agent prior to v184.108.40.206 have a bug where the session length time is incorrectly calculated during BST and the session is one hour shorter than the correct length. This issue is now resolved.