Premium support customers can use the numbers listed below to call the dedicated ActivIdentity support specialists in their region. All other customers should contact the reseller who sold them their ActivIdentity product.

United States

T +1 800.670.6892 (Toll-Free)

Europe, Middle East and Africa

T +33 (0) 1.42.04.80.80

Asia Pacific

T +61 (0) 3.9809.2892

Email: support@actividentity.com

2 WHAT’S NEW IN THIS RELEASE

2.1 What’s New in ActivClient 7.0.2

ActivClient 7.0.2 is a maintenance version of ActivClient. It brings the following improvements:

Improved support for Microsoft Windows 8 and Windows Server 2012:

· Full compliance with the Microsoft Windows 8 logon experience.

· With ActivClient 7.0.1, you can select the Smart Card icon in the main logon screen and perform a successful Windows logon; or you can select the User icon and perform a password logon. The “Sign-in options” feature is not available to enable switching the authentication mode from the User authentication screen.

· With ActivClient 7.0.2, you see only one icon per user in the main logon screen. When selecting this user icon, you can logon with a password; or also access certificates as Sign-In options. If you select a certificate and enter the PIN, you will successfully logon and have access to ActivClient PIN cache – leading to improved user experience during the Windows session.

· Change PIN (accessible via the Windows “Change Password” menu) is now supported.

· ActivClient Unlock PIN dialog box and ActivClient PIN Initialization Tool now display automatically on card insertion when the relevant card is inserted (desktop mode only).

· See section 3.2.5 for the list of known compatibility issues with Microsoft Windows 8 that will be addressed in an upcoming version.

Other functional improvements:

· Support for all ActivClient standalone Java cards – standalone profiles and standalone / mini profiles. (Note: Cryptoflex smart cards are not supported with ActivClient 7.x.)

· Support for all ActivClient standalone features such as card initialization, certificate download, card unlock, card reset, and selection of a “default” certificate stored on the card (same features as in ActivClient 6.2).

· Automatic root certificate installation in the Microsoft Windows certificate store (78495).

2.2 What’s New in ActivClient 7.0.1

ActivClient 7.0.1 is a maintenance version of ActivClient. It brings the following improvements:

· The User Console adds the Import Certificate capability (PFX and P12 formats) – availability dependent on the card configuration

· The ActivClient MSI Installer is updated to support installation on workstations connected to a large Active Directory domain (76469, 76617 and 78979)

ActivClient 7.0.1 also brings partial support for Microsoft Windows 8; full support will be provided in the upcoming ActivClient 7.0.2.

The following is a list of compatibility issues between ActivClient 7.0 and Microsoft Windows 8 that are resolved in ActivClient 7.0.1:

· ActivClient 7.0 installation might fail if a reader is not connected during installation

· In the Windows logon screen, if you select a Smart Card icon under “Sign-in options”, you will be able to successfully log on to Microsoft Windows, but the ActivClient PIN cache will not be enabled, which will lead to repeated PIN prompts.

· If you access remote resources, Microsoft Windows displays the list of available credentials in a Windows Security dialog box, but certificates are displayed twice. Selecting some of these doubled certificates leads to a second PIN prompt after a successful Microsoft Windows authentication.

· If you try to authenticate to a web site with your smart card using Internet Explorer for the desktop, the browser might freeze.

· When a PIN prompt appears, you might run into issues if you enter the PIN too slowly. This applies to several use cases, including with Internet Explorer.

2.3 What’s New in ActivClient 7.0

ActivClient 7.0 is a major version of ActivClient. It includes a brand new middleware architecture designed to better address new security requirements and enhanced integration with the Microsoft Windows platform.

· ActivClient now includes a smart card mini driver compatible with Windows Base Smart Card Crypto Provider; this replaces the ActivClient CSP. This new component enables new services such as PIN Change and PIN Unlock integrated into the Windows user interface. It also enables access to SHA-2 hashing algorithms for digital signature operations with applications such as Outlook and Outlook Web Access.

· ActivClient includes a PKCS#11 library compatible with version 2.2. This upgrade enables access to SHA-2 hashing algorithms and AES encryption.

· ActivClient is compatible with the latest generation of Personal Identity Verification (PIV) cards compliant with NIST Special Publication 800-73-3. Specifically, ActivClient supports on-card key history – if history encryption keys are stored on the card, ActivClient enables the user to access them, for example to decrypt older emails encrypted with these history keys. For non-federal issuers, ActivClient also supports GUIDs in the form of a UUID (instead of a FASC-N for federal issuers). ActivClient User Console has been enhanced to display additional personal information stored on the card.

· ActivClient provides more flexibility for PIV-Compatible (PIV-C) and PIV-like cards, cards that use a PIV-compliant card edge, but that might implement different policies when FIPS 201 compliance is not required. ActivClient complies with the policies stored on the card during issuance with ActivID CMS. For example, if the card profile allows it, ActivClient supports challenge/response unlock, supports the “change PIN on first use” option, or enables the Digital Signature key to be used without enforcing the PIN for every signature (leveraging the ActivClient PIN cache).

· ActivClient PIN Cache service has been updated to be compatible with the mini driver component. It has also been simplified compared to previous versions.

· ActivClient Outlook Enhancements have been enhanced. For example, administrators can now configure automatically the hashing and encryption algorithms. On card insertion, ActivClient updates the Outlook security profile to the selected algorithms (e.g. SHA-256 and AES).

· ActivClient integrates better with Firefox and Thunderbird. During installation, on both 32- and 64-bit platforms, ActivClient registers the PKCS#11 library into these applications. This automatic registration is also performed on application startup, in order to support new users automatically.

· ActivClient packaging is simplified – ActivClient CAC and ActivClient are now merged in a single package; a “US Department of Defense Configuration” option appears in the setup that automatically configures ActivClient with DoD policies.

· ActivClient configuration settings have been simplified – configuration is now performed via Windows policies. ActivClient includes administrative templates that can be configured and deployed centrally (from a Group Policy Object), or locally (using local group policies). ActivClient provides access to the Resultant Set of Policy tool from the User Console, to provide a view of policies active on workstations. Configuration via registry keys and with the Advanced Configuration Manager is no longer supported.
Note: Some policies have changed to better align with Microsoft recommendations; for example the “Setup email certificates in Outlook on card insertion” policy has been replaced by the “Turn off setup email certificates in Microsoft Outlook on card insertion” policy, the default value preserves the policy functionality.

· To better leverage and avoid redundancy with Microsoft Windows and Office capabilities, some ActivClient features and policies have been removed. For example, certificate registration into the CAPI store is now provided by Windows, the PIN Change Tool is replaced by the native Windows PIN Change feature; the certificate viewer in the User Console leverages Windows dialogs.

· ActivClient supports the latest environments, such as:

· Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 – with latest service packs

Note: Windows XP and Windows Server 2003 remain supported with ActivClient 6.2

· Microsoft Office 2007 and 2010 (including 64-bit); full support with the ActivClient Outlook Usability Enhancements

· Microsoft Exchange 2007 and 2010

· Internet Explorer 8 and 9

· Firefox 4 and later

· Google Chrome 11 and later

· Citrix XenApp 5 and 6

· New smart cards from ActivIdentity/HID (the Crescendo C800 and C1100), Gemalto, Giesecke & Devrient and Oberthur, including new PIV cards (SP 800-73-3 compliant)

See the ActivClient Overview for the full list of supported environments.

· A large number of bug fixes and minor enhancements, such as:

· Ability to customize the PIN length for PIV cards (within the allowed 6-8 standardized length) using the ActivClient policies. For example, an organization might force a PIN to be 6 digits long. (64188)

· Transparent support for T=0 and T=1 cards (64409, 63961, 63694)

· ActivClient setup now automatically configures ActivClient components on the Citrix server; this avoids issues described at http://support.citrix.com/article/CTX891671. (72898)

· Extended length for the customized card / certificate expiration warning message. (75401)

· ActivClient PKCS#11 API includes extensions that provide access to PIV objects (the user’s personal information). (74127)

· Certificate friendly names have been improved for CAC and PIV cards – they now start with the certificate type instead of the username to better suit small user interfaces that truncate the friendly name.

· Outlook profile configuration now supports a configuration where the certificate email and the Exchange email do not match. (60691)

· Card auto-registration now supports PIV cards on Windows 7. (63101)

· New ActivClient policy to have option to not clear the PIN from the PIN cache when the screen locks. (64812)

· Unattended smart card alert is improved to cause repeated beeps, for increased user awareness. (72833)

The following capabilities are not supported with ActivClient 7.0. ActivIdentity intends to support them in an upcoming release.

· Standalone mode:

· Smart cards with a standalone profile based on ActivIdentity v1 applets or standalone / mini profile are supported for usage service – not management services.

· Smart cards with a standalone profile based on ActivIdentity v2.x applets are not supported.

· PIN initialization, Unlock with static unlock key and card reset are not supported for the standalone and standalone / mini profiles.

· Certificate download and certificate import are not supported with any card profile.

· Limited one-time password services:

· ActivClient 7.0 supports OTP generation via the User Console and ActivClient Agent; it also supports OTP synchronization.

· However, Check Point SAA support and the ACOMX API are not supported.

· Initialization of a smart card via the 4TRESS AAA Server requires ActivClient 6.2 on the issuance station; once the card is issued, it can be used with ActivClient 7.0 for OTP generation.

· Troubleshooting wizard

· ActivClient SDK – API documentation and samples – refer to the relevant standards (NIST for PIV, RSA Labs for PKCS#11, Microsoft for the mini driver, GSA for BSI) for details.

· Card profiles with secure messaging (SMA)

· Compatibility with ActivIdentity SecureLogin

· Compatibility with Entrust Authority and Entrust Entelligence Security Provider

The following capabilities are no longer supported with ActivClient 7.x.

· Support for Cryptoflex cards, ActivKey v1 and v2

· Compatibility with Entrust Entelligence Desktop Solution

See the product documentation for a full product description:

· ActivClient Overview,

· ActivCIient Installation Guide,

· ActivClient User Guide,

· ActivClient Administration Guide.

3 KNOWN PROBLEMS, SYSTEM REQUIREMENTS AND LIMITATIONS

This section describes issues known by ActivIdentity as of the release date, but which have not been addressed in the current product version. When possible, fixes and workarounds are suggested. This section also describes known limitations of this release.

3.1 Supported Platforms

The following operating systems are supported by ActivClient 32-bit: Windows Vista (SP1 and SP2), Windows 7 (no SP and SP1), Windows 8 and Windows Server 2008 (no SP and SP2).

The following operating systems are supported by the ActivClient 64-bit – Windows Vista (SP1 and SP2), Windows 7 (no SP and SP1), Windows 8, Windows Server 2008 (no SP and SP2), Windows Server 2008 R2 (no SP and SP1) and Windows Server 2012.

The following operating systems are NOT supported: Windows 2000, Windows XP, Windows Server 2003, any IA64 edition of Windows, and any prior Windows version. For Windows 2000, Windows XP and Windows Server 2003, use ActivClient 6.2.

On Windows Vista and Windows Server 2008, ActivIdentity recommends installing a few Microsoft hot fixes in order to improve the stability of the Windows smart card services. See http://support.microsoft.com/kb/978523, http://support.microsoft.com/kb/2521923 and http://support.microsoft.com/kb/2427997.

On Windows 7 and Windows Server 2008 R2, ActivIdentity recommends installing a few Microsoft hot fixes in order to improve the stability of the Windows smart card services. See http://support.microsoft.com/kb/2521923 and http://support.microsoft.com/kb/2427997.

3.2 Installation and Uninstallation

Before you install/uninstall/upgrade ActivClient, you must remove your smart card from the smart card reader.

Windows local administrative privileges or domain administrative privileges are required to install/uninstall ActivClient.

Close all opened applications before you install or uninstall ActivClient.

Do not install another application while using the ActivClient setup.

3.2.1 Installing

If Microsoft Script Debugger is installed on your workstation, a Microsoft Script Debugger error message might appear during the ActivClient setup. Ignore this error message.

Running the setup from a .zip file is not supported. First unzip the installation files into a temporary folder and then launch the setup from that folder.

In some cases, when you copy the ActivClient installation files to a disk with a FAT32 file system, you might see a “Confirm Stream Loss” error message. When asked if you want to proceed, click Yes and continue the installation.

If you copy the CD image on a network drive, the welcome page (start.exe) will not work if the path is longer than 113 characters. Use directly the Product\Setup.exe instead.

When you run the ActivClient installer, you might see a filename such as 226ac5.msi – this name is automatically generated and is the internal InstallShield file name for the ActivClient MSI.

On Microsoft Windows Server 2008 and Windows Server 2008 R2 – Server Core edition, install ActivClient from the command line using the msiexec command. As Internet Explorer is not present on the Server Core edition, ActivClient components related to Internet Explorer will not work.

Digital signatures for all versions of this product and associated software updates released after 2012-12-12 include a timestamp signed with the new GeoTrust/Verisign/Symantec Certificate Authority. Proper verification of these signatures requires the CA certificate to be trusted by your system. For more information, please read Symantec Advisory AD546: https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=AD546&actp=LIST&viewlocale=en_US.

3.2.2 Upgrading and Updating

When you install an ActivClient update (MSP file), you might see a message stating that the ActivClient Agent is running. Press OK to continue with the installation.

Due to a Microsoft Windows Installer limitation, when adding a feature during the modify process, you might be prompted for the source media (that is, the CD-ROM, local or remote directory). The same applies if you install a software update (MSI or MSP file). Access to the initial source media is recommended for any software update. (74378)

Upgrade from an ActivClient beta version is not supported – uninstall the beta version, then install the released version. As some ActivClient policies have changed between the beta version and the release, you also need to remove the policies (or change them to Not configured) before installing the released version. See the ActivClient Administration Guide for details. (75383)

3.2.3 Uninstalling

To uninstall the product, use the Add/Remove Programs in the Windows Control Panel. Do NOT delete DLLs or files manually. ActivClient uses shared libraries. Deleting libraries might lead to subsequent problems when a new version is installed.

The ActivIdentity\ActivClient folder (typically in C:\Program Files) remains after you uninstall the software. This has no adverse effect on the behavior of the workstation or on a future re-installation process. (75797)

3.2.4 Software Deployment with Microsoft SCCM

If the user is logged on while a remote SCCM installation of ActivClient is performed, the ActivClient Agent icon is not started automatically. The user can either log out and then log back on, or start the ActivClient Agent manually from the startup folder.

The ActivClient Agent icon is still active after a remote uninstall with SCCM. You must log off and log on again for the uninstall to be completely effective. Use the install process to configure SCCM so that it requests logoff/logon after package uninstallation.

When ActivClient is removed by SCCM, it still appears in Add/Remove Programs in the Windows Control Panel. When you try to uninstall, an error message appears the first time, then the option disappears.

3.2.5 Microsoft Windows 8-Related Limitations

Here is the list of known issues on Microsoft Windows 8 that will be addressed in the upcoming ActivClient 7.1.

· If you try to authenticate to a web site with your smart card using Internet Explorer configured in Enhanced Protected Mode (either Internet Explorer on the desktop or in the Windows UI, formerly referred to as “Metro mode”), then authentication will fail – the PIN prompt will not appear.
Workaround: make sure that Internet Explorer is not in Enhanced Protected Mode (for example, you might need to add the site to your list of “trusted sites”).

· ActivClient utilities (User Console, PIN Initialization Tool, Smart Card Agent, Notifications, etc.) are supported on the desktop; they are not supported in the Windows UI (formerly referred to as “Metro mode”).

· If you are using Microsoft Outlook on Windows 8 in the Windows UI (not on the desktop), then the Publish to GAL operation might not work if ActivClient requires the user to enter his PIN, as the PIN prompt appears on the desktop, invisible to the user. The Publish to GAL function is fully supported when Outlook is used on the Windows 8 desktop. (80547)

· If you are using Microsoft Outlook on Windows 8 in the Windows UI (not on the desktop), then the Auto-Contact operation might not work if ActivClient requires user feedback, as the potential ActivClient prompt (for example, to confirm that a certificate that does not match the Outlook account will be used) appears on the desktop, invisible to the user. The Auto-Contact function is fully supported when Outlook is used on the Windows 8 desktop. (80574)

· The card auto-update with ActivID CMS feature is supported on Microsoft Windows 8 x86, but it is not yet supported on Windows 8 x64. (80533)

· If ActivClient is installed using Active Directory software push, then the ActivClient tiles (PIN Initialization, User Console, Advanced Diagnostics, Smart Card Agent) are not automatically pinned to the Start screen. (80619)

3.3 ActivClient PKI Services

3.3.1 Certificate Availability

The ActivClient “Remove certificates from Windows on logoff” option requires the card to still be inserted in the reader during the logoff operation. It is not compatible with "logoff on card removal".

ActivClient 7.x relies on Microsoft Windows Certificate Propagation service. Make sure that this service is set to Automatic for ActivClient to operate properly. (80522)

3.3.2 Windows PKI Authentication

If your smart card has been configured so that you are required to change your PIN code on first use, and if the first application you log on to is Windows PKI Logon, then you will immediately be prompted to change your PIN code after you have logged on.

If your smart card has been configured so that you are required to change your PIN code on first use, and if your first use is the Windows Logon, then ActivClient displays an ActivClient – Change PIN dialog right after Windows Logon, when the desktop appears. Do not press Ctrl-Alt-Del and select Change Password (to change the PIN) when the ActivClient Change PIN dialog is open. (75689)

ActivClient supports the “PIN change on first use” feature for PIV-C cards issued by ActivID CMS. This is a value-add capability of ActivIdentity PIV applets and ActivID CMS personalization capabilities. This requires ActivID CMS 4.2.1 or later and ActivClient 7.0 or later. (74165)

If you enter too many incorrect PIN codes, the warning "Last Attempt" is not displayed during a Windows PKI login. This is due to Microsoft Windows calling the ActivClient Mini Driver in silent mode.

If you lock your smart card by entering several incorrect PIN codes, ActivClient reports the card as “locked”. However, if you attempt to log on to Windows with this card, Windows will report this card as “blocked”; this is the terminology used by Microsoft.

If you manually select a “default” certificate in the ActivClient User Console (different than the one selected automatically), it might not save the information on the card. This is a limitation of ActivClient 7.0, which will be addressed in the next version. (75049)

3.3.3 Microsoft Outlook

Outlook certificate operations (including the Outlook Usability Enhancements) do not function properly when the user certificates are not trusted. Make sure that the issuing CA’s are trusted by Microsoft CAPI.

If you receive a signed or encrypted email that was sent with the 'Request S/MIME receipt for all S/MIME signed messages' option enabled, and if you use a PIV card with the signature certificate configured for ‘PIN Always’, then you will need to authenticate with your PIN when Outlook sends the receipt to the sender. This is a Microsoft limitation. (74326)

3.3.4 Microsoft Outlook Usability Enhancements

If you use ActivClient to automatically configure your Outlook security profile, and if you uninstall ActivClient, and then try to send a signed email, you will see an error: "An error occurred in the underlying system”. To solve this issue, you need to delete the Outlook security profile after ActivClient un-installation. (57870)

The ActivClient Publish to GAL feature relies on an authenticated connection to Exchange / Active Directory. If Outlook prompts you for the Exchange password on logon / reconnect (instead of authenticating you automatically by leveraging your Windows authentication), then ActivClient is not able to connect to Exchange and to publish your certificates to the GAL. In such a configuration, you can publish your certificates to the GAL by using the ActivClient User Console – Tools – Advanced – Publish to GAL menu. (58442)

If ActivClient is configured to setup email certificates in Microsoft Outlook on card insertion (the default behavior), but if Outlook is not installed, the operation will fail. This will cause error events to be created in the Windows Event Log. To prevent these events, enable the ActivClient policy “Turn off setup email certificates in Microsoft Outlook on card insertion”. (75106)

The automatic configuration of the Outlook security profile is not supported with Outlook 2013. (80345)

3.3.5 Internet Explorer and Google Chrome

The U.S. Department of Defense-issued Common Access Cards' certificate names are not differentiated in the Internet Explorer browser. When visualizing card certificates in Internet Explorer or during an SSL authentication, all three certificates have the same name. The workaround is to use the friendly name (ID, Signature or Encryption certificate) visible in the same window. This also applies to FIPS 201 compliant PIV cards.

If Internet Explorer is configured in Protected Mode, it does not have access to ActivClient PIN cache – by design of the protected mode feature. End users might then see more PIN prompts than they would without the protected mode.

3.3.6 Windows EFS

For detailed information about Microsoft Encrypting File System, you can refer to Microsoft documentation such as:

http://www.microsoft.com/technet/windowsvista/security/protect_sensitive_data.mspx#EGJAC,

http://windowshelp.microsoft.com/Windows/en-US/Help/196e3453-e553-4af3-8220-bdee6e60148c1033.mspx.

ActivClient includes an automatic EFS configuration feature (by automatically selecting the smart card certificate that EFS will use). This configuration option, “Configure Windows EFS with smart card certificate”, is enabled by default. This option is applicable only for the initial configuration. If you want to update the EFS certificate later and re-encrypt your files with a new certificate, you will need to use the “Manage your encryption certificate wizard” – see the ActivClient User Guide for details.

Smart card-based file encryption with EFS is supported only if you use the smart card for Windows Logon. (74060)

3.3.7 Firefox / Thunderbird

The card authentication certificate of a PIV smart card is not displayed by Firefox. This is because the web browser does not support empty subject names.

3.3.8 Microsoft certutil

In order to import a certificate with the Microsoft certutil tool, you must:

1. Set the values of the following Microsoft registry keys to DWORD:0x1:

· HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateExchangeKeyImport

· HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateSignatureKeyImport

Note: You need to add the keys to the system if they are not already present.

2. Make the certificate and the keys available as a PFX file using the Certificate Export Wizard.

3. Import the PFX file into a smart card using the following command:

certutil –csp "Microsoft Base Smart Card Crypto Provider" –importpfx {PFXfile}

See http://blogs.technet.com/b/pki/archive/2007/11/13/manually-importing-keys-into-a-smart-card.aspx for further information.

3.3.9 Other PKI Applications

If you have an application using PKCS#11 with a PIV card or a smart card with ActivIdentity v2 applets, and if you lock and then unlock the Windows workstation with a password, PKCS#11 will not erase the private key attributes (CKA_ID, CKA_LABEL, CKA_SUBJECT). However, use of the RSA private key will require re-entering your PIN code.

The ActivClient PKCS#11 library supports the CKF_PROTECTED_AUTHENTICATION_PATH flag defined in the PKCS#11 standard. Some PKCS#11 enabled applications do not support this flag; this might lead to integration issues. If you run into such issues, you might configure ActivClient to disable this feature by creating the isCKF_PROTECTED_AUTHENTICATION_PATHsupported key (as a DWORD) in HKLM\SOFTWARE\ActivIdentity\ActivClient\PKCS11 and setting it to 0.

If you use Microsoft Outlook Web Access to access emails via Internet Explorer, and close the Outlook Web Access session, you will see some of your certificates being removed from the local Windows CAPI store (certificates are unregistered). This is a Microsoft limitation of the S/MIME ActiveX control used by Outlook Web Access. Contact Microsoft for further information.

3.4 ActivClient Common Services

3.4.1 User Console

The certificate time (Valid from/Valid to) displayed in the ActivClient User Console might differ from the time displayed in Internet Explorer. This difference is due to Internet Explorer using GMT while the ActivClient User Console uses the local time zone.

Do not remove the card from the smart card reader while it is being accessed by applications (when the ActivClient icon on the taskbar is red).

On some models of the US Department of Defense Common Access Cards, there is an extra eight digit number at the end of the serial number printed on the back of the card. This extra number is not electronically recorded on the chip and thus is not part of the serial number displayed by the ActivClient User Console.

Deleting a certificate using the ActivClient User Console does not remove the link to the certificate in Microsoft CAPI. The certificate will still appear to be present in CAPI-enabled applications such as Internet Explorer or Microsoft Outlook, even though no private key operation will be available.

ActivClient User Console has some limitations with regards to compatibility with Microsoft Narrator when navigating the menus. ActivIdentity is currently working with the third-party company providing the User Console interface to provide a solution to this problem.

Icons in the User Console will display the first time after they are disabled. Those icons will be hidden in subsequent use of the User Console.

If you view the content of a PIV card with the ActivClient User Console, you might see “RSA Key Pair” for the credentials that have not been personalized yet – there is no API in the PIV standard to determine if an RSA key pair has been created or not, so ActivClient displays “RSA key pair” in either case, when the certificate is not detected. This applies to the 4 PIV-defined digital certificates.

3.4.2 ActivClient Agent

If you insert a smart card upside down or on the wrong side, and then properly reinsert the card, the ActivClient Agent icon might still display "no smart card".

If you insert and remove your smart card several times in the smart card reader, the ActivClient Agent icon might still display "no smart card". Remove and reinsert the card in the smart card reader and the icon will be refreshed.

If more than one smart card reader is connected to your system, the ActivClient Agent only supports the first smart card it detects and does not support more than one smart card connected at the same time.

The ActivClient Agent might fail to detect the card insertion if a card is inserted briefly and removed immediately. In this case, you might be prompted twice for the PIN when you reinsert the card.

The ActivClient Agent might start slowly, and the menus (available via right or left-click) might appear slowly; the ActivClient Agent icon informs the user of this status – this appears only at the beginning of the Windows session. This is due to user processes started in “BelowNormal” Priority, to speed up services startup – this is a Microsoft Windows design. Once all services are started, user processes such as the ActivClient Agent return to “Normal” Priority and become responsive.

If you generate a One-Time Password via the ActivClient Agent, the OTP is placed in the Windows Clipboard. Previous content of the Clipboard is no longer available for a Paste operation even after the OTP has been pasted.

3.4.3 Diagnostics Tool

The Advanced Diagnostic Tool might freeze if your installed smart card reader drivers are not the latest drivers from the device manufacturer. Please make sure that you have the latest smart card reader drivers installed from the device manufacturer.

3.4.4 Card Auto Update with ActivID CMS

On a workstation with Windows Vista and Internet Explorer 7 configured in Protected Mode, when ActivClient detects that a card update request is available in ActivID CMS, and when the user accepts to perform the card update, ActivClient opens Internet Explorer in a full window, with all standard menus and controls – instead of opening a dedicated window without browser menus and controls. This happens only if the user does not have local administrative privileges. To fix the problem, disable the Protected Mode or upgrade to Internet Explorer 8 – ActivClient then opens a dedicated window without browser menus and controls. (58983, 75544)

If you have configured ActivClient PIN Cache service in “per process” mode, or if Internet Explorer is configured in Protected Mode, then you might see multiple PIN prompts during a card update. The default configuration for ActivClient PIN Cache service is “per session” and it will not display this behavior. (59341, 75601)

The card auto-update feature requires the ActivClient BSI library, included in the “Common Services”. This feature is not supported if you configure ActivClient to install without the BSI component. (75518)

If you perform a card auto-update on a workstation that does not have the ActivID CMS ActiveX component installed, it will be downloaded automatically. However, if this process takes time, the card update process might timeout. You might then need to restart the update process for it to succeed. An alternative is to deploy the CMS ActiveX components in advance. (75546)

The card auto-update feature supports only one connected smart card; if two smart cards are inserted at the same time in two readers, only the default reader will be used. (75590)

If a card update fails with the ActivClient card auto-update feature, and if you then recycle the card on an ActivID CMS operator station, you might need to use the ActivClient “reset optimization cache” before you can use the card again. (75603)

3.4.5 Generic Smart Card Services

The ActivClient smart card automatic registration is supported on Microsoft Windows 7, Windows Server 2008 R2 and later. It enables recognizing any new PIV card without requiring any software update; the new PIV cards then benefit from all ActivClient capabilities. (73643)

If you update the content of the smart card, and if the card is not recognized properly anymore after the update, then it is recommended to start the ActivClient User Console, use the “Reset optimization cache” option from the menu Tools – Advanced and then remove and reinsert the smart card in the smart card reader.

If you use a smart card on workstation A and then update the card content (including the PIN policy) on workstation B, you might need to perform a "Reset optimization cache" on workstation A for the changes to be visible.

If you update the ActivClient policy from GSC-IS preference to PIV preference (or vice versa), you will need to perform a " Reset optimization cache" in the User Console to guarantee that cards previously used on the workstation will be seen with their new configuration.

The ActivClient policies "Prevent entry of PIN code shorter than the minimum PIN length" and "Allow entry PIN code longer than the maximum PIN length" apply to the ActivClient PIN entry window; they do not apply to third-party PIN entry windows, such as the Windows Logon. (73957, 73958)

3.4.6 ActivID CMS Issuance Station

When ActivClient is used on an issuance station with the ActivID Card Management System, the recommended card removal behavior option is “no action.” In addition, we recommend disabling ActivClient smart card discovery information caching; see the ActivClient Administration Guide for details.

If you use the Microsoft Certificate Authority, ActivID CMS 4.2 SP1 or higher is required for certificate issuance.

3.4.7 ActivID CMS My Digital ID Card

Support for ActivID CMS My Digital ID Card from a Windows x64 environment requires CMS version 4.2 or later – refer to your ActivID CMS documentation for further information.

If you use the Microsoft Certificate Authority, ActivID CMS 4.2 SP1 or higher is required for certificate update.

3.4.8 Citrix XenApp Sessions

Because of a limitation of the Windows plug and play feature, it is recommended to install ActivClient on a Citrix server directly on the physical console. If it is not the case, then the first use of each smart card type might not be successful until the card has been removed and reinserted. As well, the exact card model will not be available.

When ActivClient is installed on the Citrix server, card management operations such as PIN change operations are not available within the Citrix session.

If ActivClient is installed both on the Citrix client and on the Citrix server, and if you perform a Change PIN operation using ActivClient installed on the client workstation, you are prompted to re-authenticate when you access the smart card using ActivClient on the Citrix server. Note that the “PIN try” counter is then decremented by 1.

If you use your smart card locally on your workstation, you will be prompted for the PIN to access the smart card again from your Citrix session – independently of your ActivClient PIN policy (PIN cache). This is due to the fact that both instances of ActivClient (on your workstation and on the Citrix server) are independent.

If you use your smart card to login to the Citrix session with a PKI login, a new PIN prompt will appear for additional smart card services inside the Citrix session. This is a Citrix limitation.

Under some stress conditions (network bandwidth, latency, load of the Citrix server), card events such as card removal might be reported with a few seconds delay to ActivClient. Until ActivClient is aware of those changes, it will try to function as if the card was still present in the reader.

If you open a session on the Citrix server with computer A with a smart card and then moved on to computer B and establish a session to the same Citrix server, you will have to type your PIN code twice.

If you enable ActivClient log files on a Citrix server, be aware that log files will grow very fast due to the logging of all users’ operations. Only enable logging when prompted by ActivIdentity customer support.

On Windows Vista SP1, Citrix does not support the pass-through configuration with Citrix Client v10. For more information, see http://support.citrix.com/article/CTX112067. (58391)

3.4.9 Microsoft Remote Desktop Sessions

When ActivClient is installed on the Terminal Server, card management operations such as certificate download or PIN change operations are not available within the RDP session.

If ActivClient is installed both on the RDP client and on the Terminal Server, and if you perform a Change PIN operation using ActivClient installed on the client workstation, you are prompted to re-authenticate when you access the smart card using ActivClient on the Terminal Server. Note that the “PIN try” counter is then decremented by 1.

If you use smart card services inside a RDP session, some PIN-protected operations might require a new authentication even if an authentication already occurred.

If you enable ActivClient log files on a Windows Terminal Server, be aware that log files will grow very fast due to the logging of all users’ operations. Only enable logging when prompted by ActivIdentity customer support.

3.4.10 Notification Services

Smart Card and Certificates Expiration Notification – For CAC cards, if the user did not perform a Windows PKI logon, then ActivClient uses the smart card certificate expiration date to determine the smart card expiration date.

Unattended Smart Card Notification – When you disconnect from a Citrix XenApp Server or a Windows Terminal Server or Remote Desktop session, ActivClient does not trigger the unattended smart card alert if the smart card is left in the smart card reader.