Known issues and limitations

Known issues

  • macOS notarization:
    Apple has introduced notarization requirements for normal software installation and at the same time raised the requirements for the lowest version of macOS SDK that may be included. However, in the higher versions required, Apple has removed the support for TokenD. CTK (CryptoTokenKit), which is the replacement for TokenD, unfortunately has shortcomings in usability and we therefore want to continue to offer the possibility to use TokenD in our software. Due to the above, we are currently only able to sign the software for macOS, as before, but not to use Apple’s notarization service. As a result, our software cannot be installed directly when downloaded. Workaround: Save the downloaded software to a USB memory or your file system and start the installation from there. We are working on a solution to make the CTK user experience better in the future but are dependent on Apple’s implementation. There is also a big chance that TokenD will be permanently discontinued in the next version of macOS.

  • Ubuntu 18.04: Canberra-gtk-module error when running NiE GUI. Install libcanberra-gtk-module to fix problem.

  • Windows WiFi and VPN: Due to a context handling issue in Windows the built in WiFi and VPN fails to connect intermittent. The PC must then be restarted to reset the context and be able to use the built in Windows Wifi and VPN again.

  • Windows 10: There is still some issues regarding the interaction with Windows 10 Credential Provider. It is however unclear if the problems are related to Windows 10 or Net iD Enterprise and therefore we will wait for upcoming patches from Microsoft before any deeper investigations of the problems are done. Examples:

    • CredentialProvider → InitChangePin fails in mstsc for Windows 10.

    • Report unlock does not work in Windows 10 since it asks for LOGON credentials instead of doing an UNLOCK.

    • Windows 10 v1703 → Pass-through Credential Provider cannot detect card remove event, use Full Credential Provider instead.

  • Using Net iD Certificate Provider with Net iD Minidriver [1], Microsoft "Smartcard Credential Provider" interferes with certificate reading which results in an unsuccessful SSL/TLS login in Internet Explorer. Solution [2] is to disable only the 32-bit Microsoft "Smartcard Credential Provider" since 64-bit is used with pre-authentication login.

  • Net iD Enterprise Full CP (Credential Provider) on Windows client OS’s:

    • When using Full CP the card reader is locked by Microsoft Smart Card Credential Provider which causes longer logon and unlock time. We recommend to exclude Microsoft Smart Card Credential Provider in Group Policy when using Full CP.

  • Windows Install:
    iidsetup.exe -install -silent shall not be used since uninstall fails, use only iidsetup.exe /q.

  • Windows:
    The Credential Provider cannot present correct info when mapping a network drive.

  • macOS:
    When enrolling a second soft token it replaces the first soft token in the keychain access application. Workaround: drag and drop the first token from /Users/'user'/Library/Keychains/ to the keychain access application.

Known limitations

  • The comma character "," is not allowed to be used in attributes for Subject DN, Subject AltName or Issuer DN (for example Title in Subject DN). Since comma is used as delimiter there are in practice too many possible problems with implementations that cannot seperate the use of commas as characters from the use as delimiters.

  • Net iD Virtual smart card for TPM not generally supported, proof-of-concept only.

  • ECC (Elliptic-Curve Cryptography) supported for test only.

  • macOS uninstall:

    • In the new NiE GUI v2 uninsatll is not included. Uninstall is made by entering the following command in macOS terminal: /etc/iid/>sudo ./uninstall

  • All PIN Pad card reader support will be handled as customer specific support (no general support) to verify the user environment.
    Limitations to consider due to the way PIN pads behave:

    • After the PIN has been entered on the PIN pad and been verified by the card, the card reader will always be locked to the process that required the PIN. No other processes will be able to get access to the card reader until released.

    • Applications needs to be aware of PIN pad behaviors and handle it in an appropriate way, for instance avoiding to log out if not necessary to reduce the number of times the PIN has to be entered by the user.

    • PIN pad generelly will not work well when trying to use it with multiple applications, since todays applications seldom logs out at all.

    • Net iD Enterprise includes a special feature (only supported in Windows) to map all applications using the pkcs11 plugin against the same process, i.e. a behaviour like SSO and multiple processes will be able to communicate with the PIN pad.

      • limitation #1: only one kind of processes can access the PIN pad at the time, i.e. either 32-bits or 64-bits applications.

      • limitation #2: due to Windows behaviour it’s for exemple not permitted to change between user and system desktop. This for instanse prevents usage of SSO when being logged in to Windows with credentials from the same card.

    • It is essential to check if every application to be used supports PIN pad.

  • Net iD Enterprise Full CP (Credential Provider):

    • Windows authentication dialog in Internet Explorer fails to present smart card credential when using Full CP. This is due to an undocumented feature in Microsoft Windows environment and will be reported to Microsoft for further investigation.

    • Microsoft smart card removal service cannot be used with Full CP. Use the Net iD Enterprise card removal functionality instead.

    • Workstation unlock may be experienced as slow when using Full CP, due to multiple key operations on the smart card before the desktop is presented. This is mostly experienced when using older and slower smart cards.

  • Support for Gemalto IDPrime Instant IP10 and Gemalto IDPrime SIS EID IP1 with Dual Interface: The support for contactless communication is limitied to usage of the card. Personalization, i.e. key generation and import of new certificates, has to be done via the contact interface.

  • For Gemalto IDPrime Instant IP10 and Gemalto IDPrime SIS EID IP1 only 2048 bits key length are supported for RSA keys. The card have support for 1024 bits RSA keys but can’t handle a mix of 1024 and 2048 bits keys. To avoid getting corrupt cards and since the common recommendation is not to use 1024 keys any longer, only RSA keys with 2048 bits will be supported for the cards.

1. Net iD Minidriver is commonly used only in TS environments.
2. To disable 32-bit Microsoft Smartcard Credential Provider open the Registry Editor: 1. Navigate to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers 2. Right click on the CLSID of the provider, select New → DWORD (32-bit) Value, enter the value name to "Disabled", and modify the value data to "1".