EDDI technical installation and troubleshooting guidance

To ensure optimal performance when using EDDI, it is important that users have the correct IT infrastructure in place. The purpose of this guidance is to provide a consolidated set of instructions/guidelines relating to installation and troubleshooting. 

This document contains the following:

• pre-deployment checklist - a checklist to ensure your organisation has considered each item prior to accessing EDDI
• desktop setup - a detailed guide on how to configure desktop PCs for use with EDDI
• connection troubleshooting - a section to identify and correct problems with the local configuration settings that may be preventing connectivity to EDDI

This checklist is intended as a quick guide to ensure your PCs are configured correctly to access EDDI.

To successfully use the EDDI application, the following installation and configuration steps should be followed:

The EDDI application should only be run on a Windows PC with the latest supported operating system (currently Windows 10). EDDI may work on earlier versions of Windows (e.g. Windows 7), but these do not meet the minimum security and support requirements, specified by NHS Digital. 

To set up EDDI, you will need an account on the PC that has local administrator privileges. This may require assistance from your IT support team. To access and use, EDDI needs only a standard PC user account with N3/HSCN network access. 

The EDDI application is a web based application that does not have a minimum specification hardware requirement, over and above that of the Windows operating system on which it is running. The more memory (RAM) that a system has, the more applications/data it can load at the same time. Additional memory may therefore be required if running multiple applications on the same PC.

Users of the EDDI application should work with their local IT providers and support staff to ensure their memory is adequate, especially if experiencing any slow response times. 

The EDDI application is dependent on an N3/HSCN (Health and Social Care Network) connection. 

Find out more about HSCN. 

Computer systems which access NHS Digital services must meet certain technical standards. The Warranted Environment Specification (WES) defines the client environments that we support. 

Find out more about WES. 

Users should work with their suppliers to ensure that the N3/HSCN network provision is optimised for their needs, as this will vary between different sites.  

All information relating the Identity Agent installation process is available on the NHS Digital website. 

Read more about the installation process for Identity Agent. 

This step includes installing the following software:

1. Java RunTime 7 or 8 32-bit
2. 32-bit or 64-bit Gemalto Classic Client
3. .Net Framework 3.5.1 or above
4. Smartcard drivers for your Smartcard reader (see documentation for specifics)
5. NHS Digital Identity Agent v2.3 or later

For any IA Client issues/questions that cannot be resolved via these sources, please contact the NHS Digital Deployment Issue Resolution Team at [email protected].

The following browsers may be used to access EDDI:

• Chrome v45 or later
• Microsoft Edge v79 or later

Depending on which browser you use, the installation will be different. Please refer to the relevant section below for the appropriate browser configuration. 

Configuration for Google Chrome and Microsoft Edge are the same. 

Microsoft Edge v79 and later uses the Chromium engine open-source software. In order to use Chrome or Edge for EDDI, the NHS Digital Credential Management Application is the preferred solution

Credential Management Application (CMA)

NHS Credential Management Application (CMA) is a stand-alone, desktop application that works alongside all versions of the NHS Identity Agent for smartcard authentications.

Download the latest version of the NHS Credential Management installation file (N3/HSCN connection required to access this link). Supporting guides for installation and configuration are also available from this link. As detailed in the installation guides, this can be deployed as a silent install over a large estate, making deployment quick and simple. In order to test that your installation and configuration of the NHS Credential Management application is correct, we recommend you use the NHS CIS2 Smartcard Checker Tool .

Further information on the Credential Management Application is available.

Alternative option

If the recommended action provided above is not suitable for your users or organisation you can use Google Chrome or Microsoft Edge with plug-ins now, however we must advise that we believe that this is a more time-consuming approach for IT teams to set up and is not supported on a case-by-case basis by NHS Digital. 

To identify the cause of problems experienced trying to access EDDI, please complete checks 1and 2 below.

If any of the checkpoints fail, follow the guidance within the relevant subheading to resolve the problem. If you run through all the checks and have ruled out all potential local issues and are still unable to access EDDI, please call the National Service Desk.

After inserting a smartcard, the Identity Agent software should immediately become active.  

After a few seconds you should be presented with a prompt to enter your passcode, which will look similar to one of the following (depending on which version of Identity Agent is installed):

If nothing happens after you insert a smartcard, check the following:

Check the card has been inserted correctly

Most card readers require the card to be inserted with the picture facing up and visible when inserted. One exception is the Fujitsu Siemens card reader keyboard which requires the card to be inserted facing down.

Check the physical connections to the PC

The cable should be securely connected to the smart card reader and at the other end a USB port in the PC. If using a USB hub, check that there is power (if required) and that the hub in turn is connected to the PC.

Check the USB port is working

When a USB device is plugged in, the PC should check for valid drivers, test the port with a USB drive or other device. If the port is not functioning check within device manager to ensure it is installed.

Check the network availability

Test that the PC has Internet access and can access NHS web sites such as https://nww.ebs.ncrs.nhs.uk/browsercheck
If not speak to the local IT administrator to get valid IP details for the PC. Ensure network availability is available before proceeding.

Check the Identity Agent software is active

If you have HSCIC Identity Agent v2 (or later) installed, then the icon in the system tray will look as follows:

By right clicking on the icon, you will be able to get the Status of the Identity Agent or to Exit (quit the application), as shown below:

If you had quit the Identity Agent application, it can be started via the Windows Start button by navigating to the Identity Agent icon:

When the card is inserted, a message box appears saying you cannot connect to the server (see below):

Check the authentication page

Open a browser window and go to https://gas.national.ncrs.nhs.uk/login/authactivate.  

You should see an XML page similar to the example below:

If not, check the local network settings to ensure there is connectivity to the URL above.
Further troubleshooting information on this issue can be found in the Identity Agent documentation (HSCN/N3 access required).

The EDDI landing page can vary depending on a person’s user profile.

If the user is able to access multiple organisations and/or locations, then EDDI displays a list of possible choices for the user to select from:

Alternatively, if the user has only one org/location but multiple roles, EDDI displays a list of roles for the user to choose from:

If the user has only one location and role, but multiple services, EDDI displays a list of services:

If the user has only one org/location and role, the system will automatically log in to the user's homepage with the ‘Daily view’ screen displayed:

Ensure ‘Enable Meta Refresh’ is set

Ensure that the ‘Allow Meta Refresh’ variable in the trusted sites’ security settings is set to “enable”. This should be set to “enable” if the Trusted sites’ security level is set to the default (Low) level.

Check network availability

Test that the PC has Internet access and can access NHS web sites such as https://nww.ebs.ncrs.nhs.uk/browsercheck

Check that the ActiveX control is installed

EDDI uses an ActiveX control as the primary mechanism for logon in Internet Explorer.

When the Internet Explorer Add-on window pops up, check that the Name (of the ActiveX control) is IdentityAgent.dll and that the Publisher is BJSS Ltd. Click on the Install button to install the ActiveX control. Note that administrator privileges are required to complete this installation.

Check Chrome Extension is installed

If using Google Chrome browser, ensure that the Chrome Extension has been installed.

Check if the PC is running through a proxy server

Some proxy servers can be configured to deny access to JavaScripts. Check the internet settings to see if a proxy server is being used and if so ensure that the EDDI website has been set up as an exclusion, either explicitly (as in the screenshot on the left) or by use of wildcards (*.nhs.uk)

Check that Windows updates are installed

It is possible the Windows hotfixes are not up to the required level. 

Go to http://windowsupdate.microsoft.com to download all the latest critical updates.

Register mshtml.dll

It is possible that the version of mshtml.dll on the machine does not match its COM interface registry entries, which results in the Checking Authentication page hanging. Re-registering this DLL may resolve this login issue.

To re-register the DLL, type the following line into the command prompt:

“regsvr32 c:\windows\system32\mshtml.dll”

Local administrator privileges are required to successfully execute this command.

Check the environment settings

Check the Environment variable by right-clicking "My Computer" or “Computer” or “This PC” (depending on the Windows version on your PC), then select "System Properties" or “Properties”, then “Advanced System Settings” (if running Windows 7 or Windows 10), then "Environment Variables".

Ensure the "Path" contains C:\Program Files\Gemalto\Classic Client\bin

If the Path does not contain the above directory, reinstall the card reader software.

Check the TicketApiDll.dll file

Check that the TicketApiDll.dll file is present.

Complete a search within Windows Explorer to ascertain if there are any other files with the name TicketApiDll.dll. If multiple files are found, ensure they are of the same size and have the same version. If not, delete any older files found with caution.

Some GP system suppliers deploy a version of the TicketApiDll.dll file to the network drive. If present the version of this file should be checked.

Check the version of the TicketApiDll.dll file

If you have installed the new HSCIC Identity Agent (v2.0 or later), then the TicketApiDll.dll version will be 1.0.1.0 or later. Earlier versions of the TicketApiDll.dll file are not compatible with the ActiveX control and are no longer supported.

If you have a different or unsupported version, then the recommended approach is to reinstall the Identity Agent to ensure the correct versions are installed rather than deleting or replacing manually.

Check the JAR file

Search for the file name GATicket.jar on the local drive and ensure there is a copy of the file within C:\Program Files\Java\<latest JRE directory>\lib\applet or
C:\Program Files (x86)\HSCIC\Identity Agent directory, and that all other instances are removed.

Check the EDDI roles

It is necessary for EDDI to synchronise with the Spine Directory Service (SDS) to pick up any new users. This synchronisation can take up to an hour. Therefore, a user will need to allow for this period to elapse after their RA Manager has issued their smart card, prior to logging on for the first time. In addition, the user's details will only be picked up from SDS if they have a valid role profile.

A legitimate role profile consists of:

• an applicable organisation
• a valid EDDI role

If this error is displayed, the user should go back to their RA Manager to verify their EDDI role.

Check the Chrome Extension is enabled (Chrome/Edge)

Some policies can disable browser extensions. Navigate to the extension page on the browser, either: chrome://extensions or edge://extensions

Verify it is installed and enabled as such: