NHS Digital Identity Agent v2.2 is now available

NHS Digital Identity Agent v2.2 is now on general release and available for download

Download site

http://nww.hscic.gov.uk/dir/downloads/

This site provides:

• NHS Digital IA v2.2
• All supporting components, including middleware
• Release documentation

Overview

The Identity Agent is an installable component that resides on every device that acts as a point of access to Spine systems. That is, every Windows desktop in a hospital, GP surgery, or other organisation where a clinical role is performed.

NHS Digital Identity Agent v2.2 (IA v2.2) is a new version of this software. Along with other improvements, it has been designed to provide more secure and convenient ways of working and builds on the features provided with previous versions.

Precedence Order

The Identity Agent now correctly uses the precedence order of Mobility Mode / Session Persistence / Enhanced Normal Mode / Normal Mode depending upon whether any of the options are set to true in the registry.

Citrix

Support for authentication via Citrix. To enable Citrix support, add the following value to the Identity Agent registry ‘UseCardReaderPolling’ and set the value to ‘true’.

Note that CMS operations are not supported on VDI / Terminal Services / Citrix, only authentication is supported.

Testing has been conducted using Windows Server 2012R2 for this functionality.

It is recommended to turn card healing off when using Citrix.

Cache Clearance

The cache clearance tool for Oberthur Smartcards to be used if the Series 8 (OT) Smartcard gives the message “There is a problem reading your Smartcard…” is now built into the Identity Agent and will be triggered if the user has both Oberthur Middleware and a Series 8 Smartcard and the Identity Agent cannot read the Smartcard. Following installation of Identity Agent v2.2, there should no longer any need to run the cache clearance tool to resolve the “Problem reading Smartcard” error.

Update to the URL called for T&C’s

A change of URL used for the Terms and Conditions link on the PIN form.

Locked Smartcard

If the user attempts to use a locked Smartcard or inadvertently locks their Smartcard due to too many incorrect PIN entries, the Identity Agent now provides a link to the self-service unlock URL so that users who have previously registered for this service can access it easily.

Note 1: The Identity Agent does not provide a link to register for self-service as you have to be authenticated in order to register.

Note 2: The Identity Agent only redirects to the live Smartcard unlock service regardless of the current registry settings. Users wishing to use Path-to-Live self-service unlock will still need to enter this address manually.

Note 3: If the user locks their Smartcard on the secure desktop when unlocking their machine, the self-service unlock link will only be visible on their main desktop after the machine is unlocked.

NHS Enrollment Flag

In some circumstances where CMS operations have failed unexpectedly, the registry has been left with the NHSEnrollment flag set to 1.

Usually this registry key is set to 0 when Oberthur middleware is installed, this points the Middleware to the Agile applet on the Oberthur Smartcard.

CMS flips this registry key to 1 in order to write certificates to the Compatibility applet on the Smartcard, this enables the Smartcard to be used for authentication on machines with just Gemalto Middleware installed.

If NHSEnrollment key is left set to 1, then on that machine in some circumstances authentication will not be possible.

The Identity Agent now sets the NHSEnrollment key to 0 (if it isn't already) on machines with Oberthur middleware installed or the registry key exists. This is done each time the Smartcard is inserted.

Gem Heal

Gem Heal now only run on Series 4/5/6 Smartcards. Specifically, it is now never invoked on Series 8 Smartcards.

Broken Spring Check (CardRemovalCheck)

CardRemovalCheck can now be turned on and off dynamically, rather than requiring a restart of Identity Agent.

This means that self-renewals of Series 8 Smartcards on machines without Oberthur middleware will no longer require an Identity Agent restart. However, a future CMS update will be required to support this feature, so currently the Identity Agent will still require a restart to support self-renewal of Series 8 Smartcards. The CMS change is planned for early 2019.

New Certificates

New live Sub CA 1C and 1D Certificates are installed into the Intermediate Certificate Store to support future live certificate updates.

Normal Mode

The introduction of having to reverify when unlocking a machine which has been left authenticated with Spine (the Smartcard has been left in the card reader during lock period) has caused issues for some users. There have also been feature requests to be able to turn this feature on and off.

By default, Identity Agent v2.2 operates in a normal mode where the user does not have to reverify when they unlock Windows, ala Identity Agent v1 behaviour. If the trust wishes to use the behaviour of the previous version of Identity Agent v2.x, this can be invoked by setting the registry key ‘EnhancedNormalMode’ to ‘true’.

This change is dynamic and does not need the Identity Agent to be restarted when enabled.

Resolved issues

• If using the previous version of Identity Agent Windows was locked, then the network connection removed, the Smartcard removed and finally Windows was unlocked. Instead of going directly to the user’s desktop, the user could be presented with a black screen forcing them to log out of Windows and back in. The logic flaw causing this issue has been resolved
• Black screen issues. There are various black screen issues when locking and unlocking Windows. Identity Agent v2.2 attempts to resolve many of these. However, we are aware of some that still remain. These are mainly around the locking of Windows when on the second secure desktop when the user performs either Win+L or ‘Ctrl+Alt+Del and then lock’ to lock their machine. These issues seem only to affect machines running Windows 10 and this issue is currently under investigation by Microsoft support as this is a Windows bug and not an Identity Agent bug. It should be noted that locking the machine by clicking the ‘Lock’ button on the reverify PIN form will stop this from occurring.

Supporting information

Identity Agent v2.2 is likely to be compatible with third-party application(s)

System suppliers have been formally invited to integration test Identity Agent v2.2 against their software. However prior to installation of Identity Agent v2.2 please confirm its compatibility status against your particular suite of third-party applications, with their suppliers.

Registry changes and configuration

With a default installation, Identity Agent v2.2 will:

• Authenticate into Live
• Be in ‘Normal’ mode
• Not launch any web browser applications on login
• Close down all browser sessions on logging out

In order to activate the following features, there is a small amount of registry modification required if the user wants to enable any of the features listed below:

1. Mobility Mode
2. Session Lock Persistence
3. Enhanced Normal Mode
4. CardRemovalCheck set to False. Recommended for RA users
5. Automatic launch of specific Spine web applications on login
6. Automatic closure of specific (or no) web browsers on logout
7. Citrix configuration

Identity Agent v2.2 works with the middleware (Gemalto) already in use with BT Identity Agents and HSCIC Identity Agent v1 and higher

However please note that if uninstalling BT Identity Agent, this will also remove the Gemalto middleware, and so this middleware will require re-installing in addition to the installation of Identity Agent v2.2 (the two components are not part of the same installation package).

To clarify, Identity Agent v2.2 does not require Oberthur middleware unless as per previous versions of Identity Agent the user is performing CMS functions through the CIS application on Oberthur Smartcards.

Find support or provide feedback for NHS Digital Identity Agent v2.2

NHS Digital Identity Agent v2.2 ‘Known Issues’ are listed in the Release Notes, and a ‘Troubleshooting Guide’ is available in the Administrators Guide.

A forum exists on NHS Networks for further information, feedback and questions: https://www.networks.nhs.uk/nhs-networks/identity-agent

There is also now also an Identity Agent team on Slack, where you can join and post queries and minor support issues: https://identityagent.slack.com

Formal support calls however should be placed as normal with the National Service Desk by calling 0300 303 5678.

Alternatively, send an email to the National Service Desk [email protected] and we’ll get back to you.