Troubleshoot incorrect configurations

Care Identity Authentication have provided a web page that allows a user to test whether their device is correctly configured to allow the use of smartcards with Care Identity Authentication. This page is also available from error pages from within the Care Identity Authentication service.

This page will perform a check to detect whether the device's operating system and browser are supported by Care Identity Authentication. The user will be warned if the combination is not supported and will be advised what to do.

Local IT support teams should advise the user how to proceed. Options may include using a different device or using a different browser. Consideration should be given to the device configuration the organisation has chosen to adopt.

If the page is accessed via a valid combination of operating system and browser the following page will be displayed:

Before continuing with the configuration check the user is prompted to confirm that this is the browser they wish to use with Care Identity Authentication (in line with the device configuration that the organisation has chosen to adopt) and that they have already successfully logged in to the Identity Agent by entering their smartcard and pin. If a user can not successfully log in to the Identity Agent the configuration check will give inaccurate results.

Any issues reported by the Identity Agent, as depicted below,  should be diagnosed using the troubleshooting advice in the Identity Agent Administration Guide, found within the Identity Agent Supporting Documentation on the NHS Digital Downloads page.

When the check button is pressed Care Identity Authentication will attempt to connect to the Identity Agent using the mechanisms that are appropriate for the detected operating system and browser. Care Identity Authentication will step through each mechanism in turn until it finds one that succeeds or all the mechanisms have been exhausted.

If a successful mechanism is found then a success report will be displayed as shown in the example below. This indicates that the device is correctly configured for use with Care Identity Authentication.

However if Care Identity Authentication can not find a mechanism to connect to the Identity Agent then an error report will be displayed.

If the configuration check is unsuccessful the error report will provide diagnostic information for each of the mechanisms that it attempted to use to connect to the Identity Agent, this section provides guidance on how to interpret this information and what corrective action to take.

NHS Credential Management

Note that the first version of NHS Credential Management was called the NHS Identity Hub and the messages below relate to both versions.

NHS Identity Hub/Credential Management cannot be found

This may be because neither NHS Credential Management or the earlier NHS identity Hub have been installed on the device (which may be appropriate if an organisation has decided not to use it) or because the software is not running. Note NHS Credential Management does not automatically start after installation but will do so on a subsequent user login or machine restart. If NHS Credential Management will not start please refer to the troubleshooting section of the NHS Credential Management Installation Guide.

This message may also be seen if group policy has set the browser privacy and security settings to block third-party cookies. To enable use of NHS Credential Management the group policy needs to be updated either to allow all third-party cookies or to selectively allow them for [*.]localhost. For further details see the Configuration section of the NHS Credential Management Administrator's Guide, this can be found at NHS Digital Downloads - NHS Credential Management.

NHS Identity Hub/Credential Management (v...) is running on port 43485 but is not connected

This indicates that NHS Credential Management or the NHS Identity Hub is running correctly but an error has occurred whilst attempting to communicate with the Identity Agent. This is not an expected scenario. You should contact the National Service Desk for assistance if it persists.

NHS Identity Hub/Credential Management (v...) is running on port 55000 and is connected but cannot login to Care Identity Authentication

This indicates that NHS Credential Management or the NHS Identity Hub is running correctly but an error has occurred whilst attempting to check whether the Identity Agent has already logged in the user.

This may occur if the Identity Agent is not running, the user did not in fact log in to the Identity Agent before starting the test, the user logged out of the Identity Agent before completing the test, or the Identity Agent log in was unsuccessful. For guidance on dealing with authentication issues with the Identity Agent please see the Troubleshooting section in the Administration Guide included in the installation files.

If the above reasons have been eliminated, then you can get further assistance by calling the National Service Desk on 0300 3035035 or raising a call using the National Service Desk tool.

Windows Security Dialog

The Windows Security dialog shown below may be displayed if NHS Credential Management is run on a Windows 7 machine or on a Windows 8 or 10 machine that has had its Internet Options modified from the default values.

To rectify this issue the Local intranet settings in the machine's Internet Options need modifying as described in the Configuration section of the NHS Credential Management Administrator's Guide, this can be found at NHS Digital Downloads - NHS Credential Management.

Chrome Extension not found

This indicates that the Chrome Extension is not installed in the browser. This message can safely be ignored unless the organisation has adopted the Chrome Extension alternative configuration. In this case the Chrome Extension and Native Bridge need installing using the Chrome Extension Installation Guide.

Chrome Extension (v...) installed but Native Bridge cannot be found

This indicates that the Chrome Extension is installed in the browser but the Native Bridge component on which it depends has not been installed. In this case the Chrome Extension and Native Bridge need re-installing using the Chrome Extension Installation Guide.

Chrome Extension (v...) installed and using Native Bridge (v1.0.0.20376) but cannot login to Care Identity Authentication

This indicates that the Chrome Extension and Native Bridge components are running correctly but an error has occurred whilst attempting to check whether the Identity Agent has already logged in the user.

This may occur if:

• the Identity Agent is not running
• the user did not in fact log in to the Identity Agent before starting the test
• the user logged out of the Identity Agent before completing the test
• the Identity Agent log in was unsuccessful.

For guidance on dealing with authentication issues with the Identity Agent please see the Troubleshooting section in the Administration Guide included in the installation files.

If the above reasons have been eliminated, then you can get further assistance by calling the National Service Desk on 0300 3035035 or raising a call using the National Service Desk tool.

ActiveX Control not found

This indicates that the ActiveX Control is not installed in the browser. This message can safely be ignored unless the organisation has adopted the ActiveX Control alternative configuration for use with e-RS. In this case the ActiveX Control should be installed using the e-RS Installation Guide.

ActiveX Control not found (with IE11 Dialog Box)

If the ActiveX Control has been installed in the browser but the Care Identity Authentication URL has not been added to the browser's trusted sites list the following IE11 dialog box may be displayed.

The Care Identity Authentication URL (https://am.nhsidentity.spineservices.nhs.uk) should be added to the browser's trusted sites list. This can be done by selecting the browser's Internet Options menu option, selecting the Security tab and using the Sites button associated with the Trusted sites icon.

ActiveX Control is installed but cannot login to Care Identity Authentication

This indicates that the ActiveX Control is running correctly but an error has occurred whilst attempting to check whether the Identity Agent has already authenticated the user.

The most likely cause of this message is that user has allowed the ActiveX Control to run (see the IE11 dialog box above) but the Care Identity Authentication URL (https://am.nhsidentity.spineservices.nhs.uk) has not been added to the browser's trusted sites list. This can be done by selecting the browser's Internet Options menu option, selecting the Security tab and using the Sites button associated with the Trusted sites icon.

This may also occur if:

• the Identity Agent is not running
• the user did not in fact log in to the Identity Agent before starting the test
• the user logged out of the Identity Agent before completing the test
• the Identity Agent log in was unsuccessful.

For guidance on dealing with authentication issues with the Identity Agent please see the Troubleshooting section in the Administration Guide included in the installation files.

If the above reasons have been eliminated, then you can get further assistance by calling the National Service Desk on 0300 3035035 or raising a call using the National Service Desk tool.

Java is not enabled

This indicates that a Java JRE has not been installed on the user's device. Java is not required to use Care Identity Authentication unless the organisation has adopted the Java Applet alternative configuration. 

The Java Applet is not enabled

This indicates that a Java JRE has not been installed on the user's device or the Java Applet has not been successfully loaded into the browser.

This message may occur if the Java JRE security configuration is preventing the Java Applet from running or if the user does not accept or cancels a Java JRE dialog. For example the first time the Java Applet runs the dialog below will be shown asking the user's permission to run the Java Applet (note that it retains the old name for Care Identity Authentication i.e. NHS Identity) , if the dialog is closed at this point or cancelled the message will be displayed. Unless the user selects the Do Not Show Again checkbox then the dialog will be shown every time the Java Applet is loaded.

Another possible cause of this message is that the GATicket.jar file is not present on the device. This can occur when the Java JRE is updated or installed after the original installation of the Identity Agent. For further information on how to check and fix this issue please see the 'Following Java Upgrade' section of the Administration Guide included in the Identity Agent installation files.

The Java Applet is designed to run with the default Java JRE settings and this guidance does not cover the advanced settings organisations may be using on their devices which could prevent the Java Applet from loading. We recommend that if this message is seen, and is not explained by the reasons above, the debug capabilities of the Java Console along with the Java Console application are used to determine what security setting is preventing the Java Applet from running.

The Java Applet is loaded but cannot login to Care Identity Authentication

This indicates that the Java Applet is running correctly but an error has occurred whilst attempting to check whether the Identity Agent has already logged in the user.

This may occur if:

• the Identity Agent is not running
• the user did not in fact log in in to the Identity Agent before starting the test
• the user logged out of the Identity Agent before completing the test
• the Identity Agent log in was unsuccessful.

For guidance on dealing with authentication issues with the Identity Agent please see the Troubleshooting section in the Administration Guide included in the installation files.

If the above reasons have been eliminated, then you can get further assistance by calling the National Service Desk on 0300 3035035 or raising a call using the National Service Desk tool.

You can get support by calling the National Service Desk on 0300 3035035 or raising a call using the National Service Desk tool.