EDDI technical installation and troubleshooting guidance
Guidance to support the technical installation of the Emergency Department Digital Integration (EDDI) product.
To ensure optimal performance when using EDDI, it is important that users have the correct IT infrastructure in place. The purpose of this guidance is to provide a consolidated set of instructions/guidelines relating to installation and troubleshooting.
This document contains the following:
pre-deployment checklist - a checklist to ensure your organisation has considered each item prior to accessing EDDI
desktop setup - a detailed guide on how to configure desktop PCs for use with EDDI
connection troubleshooting - a section to identify and correct problems with the local configuration settings that may be preventing connectivity to EDDI
This checklist is intended as a quick guide to ensure your PCs are configured correctly to access EDDI.
Do your PCs run Windows 10? (see step one)
Do your PCs meet the minumum hardware requirements? (see step two)
Are you using a compatible browser? (see the Warrented Environments Specification linked in step 2. Your browser needs to be compatible with NHS Identity Agent)
Do you have the NHS Identity Agent installed? (see step 3)
If you're using Chrome, have you installed the Chrome Bridge Extension? (see step 5)
Check that your browser and PC is configured correctly to access another smartcard authenticated national service, such as Summary Care Record or the NHS e-Referral Service (not mandatory).
Can you successfully navigate to
https://eddi.nhs.uk? If you see an EDDI screen, this test has been successful (even if you cannot sign in at this stage). If you cannot reach this site, it may also be necessary for the local IT support team to check firewall rules and allow *.eddi.nhs.uk
Do all the appropriate users have smartcards with the correct roles assigned?
Desktop setup: requirements and configuration
To successfully use the EDDI application, the following installation and configuration steps should be followed:
Step 1: Sign in to a Windows PC
The EDDI application should only be run on a Windows PC with the latest supported operating system (currently Windows 10). EDDI may work on earlier versions of Windows (e.g. Windows 7), but these do not meet the minimum security and support requirements, specified by NHS Digital.
To set up EDDI, you will need an account on the PC that has local administrator privileges. This may require assistance from your IT support team. To access and use, EDDI needs only a standard PC user account with N3/HSCN network access.
Step 2: Ensure PC meets minimum hardware requirements
The EDDI application is a web based application that does not have a minimum specification hardware requirement, over and above that of the Windows operating system on which it is running. The more memory (RAM) that a system has, the more applications/data it can load at the same time. Additional memory may therefore be required if running multiple applications on the same PC.
Users of the EDDI application should work with their local IT providers and support staff to ensure their memory is adequate, especially if experiencing any slow response times.
The EDDI application is dependent on an N3/HSCN (Health and Social Care Network) connection.
As part of the test you may be prompted to download an ActiveX component and/or a Java applet. Select 'Yes' when prompted as they are required to perform the tests. Administrator privileges are required to complete this installation.
When the Internet Explorer Add-on window pops up, check that the name (of the ActiveX control) is IdentityAgent.dll and that the publisher is BJSS Ltd. Note that the certificate has expired.
ICT departments wanting to install the ActiveX control across their sites can download the ActiveX control and place the individual files in the following directory:
C:\Windows\Download Program Files
The two files required are:
Step 4.1: Verify that the EDDI URL is in the Trusted Site Security Zone
The EDDI application has been designed and tested to run in the “Trusted sites” zone within Internet Explorer, using “Low” security settings for that zone. This can be configured either manually, or through desktop management software, and is the responsibility of local IT support teams.
Both HTTP and HTTPS traffic must be included in the “Trusted sites” zone.
To verify that EDDI is correctly configured in the “Trusted sites” zone, navigate to Internet Options > Security and ensure *.eddi.nhs.uk is displayed as "Trusted sites".
You can view this in Internet Explorer by right clicking on the page and selecting Properties.
Internet Options are available via the Tools menu.
This is illustrated in the following screen shots:
Should the zone display “Unknown Zone (Mixed)” (as below) this is because only HTTP or HTTPS traffic (but not both) has been configured to be in the “Trusted sites” zone:
When manually configuring the URL to be in the Trusted sites zone, ensure that the “Require server verification…” checkbox is unchecked:
IT administrators can add the URL to the Trusted Sites zone using a simple registry entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Intern et Settings\ZoneMap\Domains\nhs.uk] "*"=dword:00000002
Step 4.2: Check browser compatibility mode is not set
Compatibility View settings in Internet Explorer are maintained by selecting the Compatibility View settings command in the Tools menu.
Ensure that the domain or any parent domain is not listed in the “Websites you’ve added to Compatibility View” section:
Compatibility View settings can be set by Group Policy, so may need to be revised by IT administrators.
Chrome and Microsoft Edge
Configuration for Google Chrome and Microsoft Edge are the same.
Microsoft Edge v79 and later uses the Chromium engine open source software. In order to use Chrome or Edge for EDDI, the NHS Digital Chrome Extension will be required.
Note that versions of Edge which do not use the Chromium engine will not work with EDDI, even with the NHS Digital Chrome extension.
Step 5: Install Chrome Extension
The Chrome Extension consists of a Native Bridge component along with the Chrome Extension itself. Both components are required to communicate with the Identity Agent.
Appendix A - Connection and installation troubleshooting
To identify the cause of problems experienced trying to access EDDI, please complete checks 1and 2 below.
If any of the checkpoints fail, follow the guidance within the relevant subheading to resolve the problem. If you run through all the checks and have ruled out all potential local issues and are still unable to access EDDI, please call the National Service Desk.
Check 1: Insert a smartcard and expect to be prompted for a passcode
After inserting a smartcard, the Identity Agent software should immediately become active.
After a few seconds you should be presented with a prompt to enter your passcode, which will look similar to one of the following (depending on which version of Identity Agent is installed):
Result: Nothing happens
If nothing happens after you insert a smartcard, check the following:
Check the card has been inserted correctly
Most card readers require the card to be inserted with the picture facing up and visible when inserted. One exception is the Fujitsu Siemens card reader keyboard which requires the card to be inserted facing down.
Check the physical connections to the PC
The cable should be securely connected to the smart card reader and at the other end a USB port in the PC. If using a USB hub, check that there is power (if required) and that the hub in turn is connected to the PC.
Check the USB port is working
When a USB device is plugged in, the PC should check for valid drivers, test the port with a USB drive or other device. If the port is not functioning check within device manager to ensure it is installed.
Check the network availability
Test that the PC has Internet access and can access NHS web sites such as https://nww.ebs.ncrs.nhs.uk/browsercheck If not speak to the local IT administrator to get valid IP details for the PC. Ensure network availability is available before proceeding.
Check the Identity Agent software is active
If you have HSCIC Identity Agent v2 (or later) installed, then the icon in the system tray will look as follows:
By right clicking on the icon, you will be able to get the Status of the Identity Agent or to Exit (quit the application), as shown below:
If you had quit the Identity Agent application, it can be started via the Windows Start button by navigating to the Identity Agent icon:
Result: Identity Agent brings up an error
When the card is inserted, a message box appears saying you cannot connect to the server (see below):
You should see an XML page similar to the example below:
If not, check the local network settings to ensure there is connectivity to the URL above. Further troubleshooting information on this issue can be found in the Identity Agent documentation (HSCN/N3 access required).
Check 2: Does the EDDI page appear?
The EDDI landing page can vary depending on a person’s user profile.
If the user is able to access multiple organisations and/or locations, then EDDI displays a list of possible choices for the user to select from:
Alternatively, if the user has only one org/location but multiple roles, EDDI displays a list of roles for the user to choose from:
If the user has only one location and role, but multiple services, EDDI displays a list of services:
If the user has only one org/location and role, the system will automatically log in to the user's homepage with the ‘Daily view’ screen displayed:
Result: A blank screen is displayed
Ensure ‘Enable Meta Refresh’ is set
Ensure that the ‘Allow Meta Refresh’ variable in the trusted sites’ security settings is set to “enable”. This should be set to “enable” if the Trusted sites’ security level is set to the default (Low) level.
EDDI uses an ActiveX control as the primary mechanism for logon in Internet Explorer.
When the Internet Explorer Add-on window pops up, check that the Name (of the ActiveX control) is IdentityAgent.dll and that the Publisher is BJSS Ltd. Click on the Install button to install the ActiveX control. Note that administrator privileges are required to complete this installation.
Check Chrome Extension is installed
If using Google Chrome browser, ensure that the Chrome Extension has been installed.
Check if the PC is running through a proxy server
Local support may be preventing users bypassing the proxy server. If in doubt, please contact your local administrator.
Check that Windows updates are installed
It is possible the Windows hotfixes are not up to the required level.
It is possible that the version of mshtml.dll on the machine does not match its COM interface registry entries, which results in the Checking Authentication page hanging. Re-registering this DLL may resolve this login issue.
To re-register the DLL, type the following line into the command prompt:
Local administrator privileges are required to successfully execute this command.
Check the environment settings
Check the Environment variable by right-clicking "My Computer" or “Computer” or “This PC” (depending on the Windows version on your PC), then select "System Properties" or “Properties”, then “Advanced System Settings” (if running Windows 7 or Windows 10), then "Environment Variables".
Ensure the "Path" contains C:\Program Files\Gemalto\Classic Client\bin
If the Path does not contain the above directory, reinstall the card reader software.
Check the TicketApiDll.dll file
Check that the TicketApiDll.dll file is present.
Complete a search within Windows Explorer to ascertain if there are any other files with the name TicketApiDll.dll. If multiple files are found, ensure they are of the same size and have the same version. If not, delete any older files found with caution.
Some GP system suppliers deploy a version of the TicketApiDll.dll file to the network drive. If present the version of this file should be checked.
Check the version of the TicketApiDll.dll file
If you have installed the new HSCIC Identity Agent (v2.0 or later), then the TicketApiDll.dll version will be 188.8.131.52 or later. Earlier versions of the TicketApiDll.dll file are not compatible with the ActiveX control and are no longer supported.
If you have a different or unsupported version, then the recommended approach is to reinstall the Identity Agent to ensure the correct versions are installed rather than deleting or replacing manually.
Check the JAR file
Search for the file name GATicket.jar on the local drive and ensure there is a copy of the file within C:\Program Files\Java\<latest JRE directory>\lib\applet or C:\Program Files (x86)\HSCIC\Identity Agent directory, and that all other instances are removed.
Check the EDDI roles
It is necessary for EDDI to synchronise with the Spine Directory Service (SDS) to pick up any new users. This synchronisation can take up to an hour. Therefore, a user will need to allow for this period to elapse after their RA Manager has issued their smart card, prior to logging on for the first time. In addition, the user's details will only be picked up from SDS if they have a valid role profile.
A legitimate role profile consists of:
an applicable organisation
a valid EDDI role
If this error is displayed, the user should go back to their RA Manager to verify their EDDI role.
Check the Chrome Extension is enabled (Chrome/Edge)
Some policies can disable browser extensions. Navigate to the extension page on the browser, either: chrome://extensions or edge://extensions