ActivClient ReadMe

Note that this section may refer to functionalities present in different editions of ActivClient and might not be available in your edition of ActivClient.

2.1 What’s New in ActivClient 6.2

ActivClient 6.2 provides the following improvements compared to ActivClient 6.1 SP2:

Outlook usability enhancements:

· ActivClient automatically publishes the user certificates to the Global Address List (GAL) on card insertion. This new feature enables customers to easily use certificates for email encryption with Microsoft Outlook and Exchange servers. This applies to configurations where certificates are issued outside the corporate environment and, consequently, not published to Active Directory during the issuance process.

· Automatic configuration of the Outlook security profile is improved to seamlessly handle card certificate updates.

· Outlook usability enhancements are now available on 64-bit versions of Windows. This applies to all ActivClient Outlook Usability enhancements such as the automatic configuration of the Outlook security profile, Publish to GAL, Auto-Contacts and Auto-Decrypt.

Improved card management services:

· Automatic card update with ActivID CMS (applies to cards issued by ActivID CMS). On card insertion, ActivClient checks if there are any card update requests available in ActivID CMS. When such updates are available (for example, a certificate update), ActivClient prompts the user to perform the card update.

Improved deployment:

· Improved installer package:

· Microsoft Visual C++ redistributable components are now included in the ActivClient MSI package to facilitate installation. This avoids the need to install two separate packages.

· ActivClient 32-bit and ActivClient 64-bit are now included on the same CD, along with the administrative tools and documentation previously provided in a separate package (the ActivClient Resource Kit). This facilitates access to all of the required ActivClient components in a complex corporate deployment.

· ActivClient hot fixes (MSP files) available for ActivClient 6.2 (post release) will be available with a reduced file size compared to hot fixes available for ActivClient 6.1. In addition, you will be able to uninstall ActivClient hot fixes from the Windows Control Panel (Add or Remove Programs), restoring the ActivClient version that was present before you installed the hot fix.

· Improved diagnostics:

· To facilitate troubleshooting, the ActivIdentity Diagnostics Tool now reports additional information about the environment, such as reader driver information, the email client packages and their version, the MAPI configuration and relevant ActivID CMS connectivity data.

· Diagnostics reports and log files produced by ActivClient (requested by customer support to diagnose issues difficult to reproduce) no longer contain any personally identifiable information that is considered sensitive. Data such as certificates, email addresses or usernames are omitted from these files, or obfuscated (if some level of information is required for diagnostics purposes), to increase customers’ security and privacy.

· Improved configuration:

· Import/Export of ActivClient configuration using the Advanced Configuration Manager. This feature enables administrators to copy an ActivClient configuration from workstation to workstation – which facilitates testing a “reference configuration” in multiple environments.

· The Advanced Configuration Manager is no longer installed by default (except in ActivClient CAC edition) as it is intended for administrators and not end users. It can be installed using a Custom installation.

· Microsoft OEM Ready: ActivClient 6.2 complies with Microsoft OEM Ready requirements. As such, all ActivClient components (exe and dll files) are located in \Program Files\ActivIdentity, and no longer in \Windows\system32.

Support for new smart card configurations:

· Support for Secure Messaging (SMA) on the new US Department of Defense Common Access Card models (128K cards with 2048 bit RSA keys, and PIV End Point compatible). Secure Messaging allows encrypting the PIN when it is sent from the PC to the card, and encrypting data (for example, a session key or disk encryption key) when it has been decrypted on the card and is sent from the card to the PC. Encryption prevents interception of the PIN or data by, for example, a data sniffer placed on the USB reader port. Note: These CAC cards are supported by ActivClient 6.0 and 6.1 without the Secure Messaging capability.

Support for new environments:

· Windows Server 2008 support improvements. Already supported by ActivClient 6.1, the new capabilities include:

· Support for the Server Core configuration

· Support for the new certificate templates available with the Certificate Server

· Availability of an ActivClient administrative template in ADMX format

· Also includes support for Windows Server 2008 SP2 and Windows Server 2008 R2

· Support for Windows 7 (32 and 64-bit editions)

· Support for the latest versions of compatible applications, such as:

· Citrix XenApp 5.0

· Entrust Entelligence Security Provider 9.0

· Firefox 3

· Microsoft Office 2007 SP2

· Thunderbird 2

· Support for new smart cards, such as the:

· Gemalto TOP DL GX4 144K FIPS

· Giesecke & Devrient SmartCafe Expert 80K DI v3.2

· Oberthur ID-One Cosmo v5.5 128K

· Oberthur ID-One Cosmo v7.0 80K and 128K

· Support for new PIV cards:

· Athena IDProtect Duo PIV

· CardLogix Credentsys-J PIV

· Safenet 400 PIV

· Support for Citrix XenApp and Microsoft Terminal Server accessed by non-Windows clients, such as:

· Linux thin terminals

· Mac workstations

· Sun Ray terminals

Minor improvements:

· The ActivClient “card discovery” process allows performance optimization by caching smart card discovery information. With ActivClient 6.2, this process is optional. When this feature is disabled, the smart card discovery process is repeated at each smart card insertion. We recommend disabling this feature only on issuance workstations, where caching this data for all issued cards may lead to performance degradation rather than improvement.

· ActivClient CSP now supports SHA256 on Windows versions that support SHA 256, such as Windows XP SP3, Windows Vista SP1 and Windows 7.

· Access to the ActivClient Agent menu is now available using either a left-click or right-click.

· Experimental support for Entrust Entelligence Security Provider Smart Card Migration Utility, enabling users to migrate from Entrust Entelligence Desktop Solutions to Entrust Entelligence Security Provider for Windows.

· ActivClient Help can now be customized, enabling administrators to add information specific to their deployment.

Two ActivClient 6.2 packages are available: ActivClient 6.2 and ActivClient CAC 6.2 – both include support for 32-bit and 64-bit versions of Windows (using separate MSI packages for 32-bit and 64-bit). In the CAC edition:

· Installation and trust of the DoD Root certificates.

· Certificate and card expiration notification is enabled by default.

· The configuration option “Prefer GSC-IS over PIV EndPoint” is enabled (it is disabled in ActivClient).

· Small differences in the default ActivClient setup (for example, the Advanced Configuration Manager is included in the Typical setup, One-Time Password Services is not included in the Typical setup).

Bug fixes and minor enhancements

Fixes since ActivClient 6.1 SP2:

· Fixes an issue about the ActivClient auto-configuration of EFS that you could not disable. (54679)

· Fixes an issue about the incorrect selection of the default certificate for Windows login after a certificate is downloaded on the card with ActivClient CSP (54225).

· Fixes an issue where, under rare conditions, ActivClient login processes continue to run after a logging in to Windows with a smart card. This led to symptoms such as the ActivClient Agent reporting continuously “Starting ActivClient Agent. Please wait”, or if SecureLogin SSO is installed, the workstation does not lock on card removal. (54510)

· Fixes an issue where the ActivClient Auto-Contact feature prompts to add the sender’s certificate to Outlook Contacts even if it is already present, in the case ActivClient was not used to create the contact earlier. (53688)

· Fixes an issue where users may see an "Invalid Parameter" error when performing a Windows PKI logon, if there was a communication error during the first card usage on the workstation. ActivClient no longer stores the certificate information in the card discovery cache in the case of communication error. The impact is that when the communication error is fixed, the card discovery process will select the correct Windows PKI logon certificate; and users can perform a successful login (without doing a “forget state for all cards”). (54142)

· Fixes an issue where occasionally, the workstation is not locked on card removal. (54608)

· On Windows Vista, ActivKey is now detected when inserted during an Internet Explorer SSL authentication. ActivClient replaces the Windows Select Card dialog which is not updated when ActivKey devices are inserted. (52875)

· Performance improvement for SCPL login, when using ActivIdentity Authentication Client – in the case of cards with certificates not compatible with Windows Logon. (55661)

· Fixes an issue where the Outlook Enhancements cause Outlook 2003 to stop displaying “forwarded” and “replied” icons on emails (blue and purple arrows). (55918)

· Fixes incompatibility issue with Intel PRO/Wireless Network Connection Software, causing Windows PKI smart card log on to fail. (56031)

· Fixes an issue where a signed email message closes, after the user selects Cancel when being prompted to select the card reader (when multiple readers / cards are present). (56094)

· Fixes incompatibility issue with UPHCLEAN 1.6 on Citrix Server. (56096)

· Fixes an issue where users can no longer sign emails in Thunderbird after card logout (close SSL session in Firefox for example). (56628)

· Fixes an issue where unlocking a remote session failed after an earlier ActivClient hot fix installation. (57446)

· Performance improvements for smart card usage in Citrix XenApp or Microsoft Terminal Server environments – this improvement is especially visible on slow networks like satellite, UMTS, wireless connection. (52992, 58873)

· Fixes an issue where enrolling a user using Entrust Entelligence Security Provider v8 on Windows Vista causes a crash. (57762)

· Fixes compatibility issues with Entrust Entelligence Security Provider v9. (58077, 59015)

· Adds support for smart card profiles where PKI certificates are protected by “secure channel OR PIN”; it is now possible to import or delete a certificate from the User Console. (57974)

· Adds support for smart card profile with 11 PKI certificates. (59132)

· Fixes an issue where the OTP generated by the ActivClient Agent “Get One-Time Password” menu cannot be pasted into some applications. (59560)

· Fixes an issue where, under rare conditions, a smart card removal may prevent ActivClient from running properly. (58920)

· Fixes compatibility issue with Keycorp MULTOS smart card v4.2.3 with PIV Application. (59170)

· Updates the signature of some ActivClient JAR files that had expired code signing certificates. (58741)

· PKCS#11 API: CKF_PROTECTED_AUTHENTICATION_PATH is now configurable, enabling support of the NCP VPN client when establishing a connection before Windows logon. To configure it, it is necessary to add the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\ActivCard\ActivClient\PKCS211, isCKF_PROTECTED_AUTHENTICATION_PATHsupported (DWORD). If the registry key is not present or set to a value different from 0, CKF_PROTECTED_AUTHENTICATION_PATH flag is supported (standard ActivClient 6.x behavior); if it is set to “0”, CKF_PROTECTED_AUTHENTICATION_PATH flag is not supported (previous ActivClient versions behavior).
Important: If you deploy ActivIdentity SecureLogin SSO, do not configure isCKF_PROTECTED_AUTHENTICATION_PATHsupported to 0. (53923)

· PKCS#11 API: C_InitPIN no longer fails with CKR_DEVICE_ERROR if the card is already initialized. This fix provides a similar behavior as with ActivCard Gold, for compatibility with legacy applications. (54332)

· PKCS#11 API: Fixes an issue with unusual RSA key sizes, where decryption failed after importing certificates with PKCS#11. (54857)

· PKCS#11 API: Fixes an issue when calling twice the C_Finalize function. (56796)

· PKCS#11 API: Fixes an issue where CKA_MODULUS of PUBLIC_KEY is returned in LSB format instead of MSB. (58279)

· BSI API: JNI wrapper now uses a native method to retrieve vector size, avoiding some FATAL ERROR when using option -Xcheck:jni. (55723)

· CSP API: The CPSetHashParam function now supports HP_HMAC_INFO. (56605)

2.2 What’s New in ActivClient 6.1 Service Pack 2

ActivClient 6.1 Service Pack 2 provides the following improvements compared to ActivClient 6.1 Service Pack 1.

Bug fixes and minor enhancements:

· Fixes issue around deleting emails when the auto-decrypt feature is enabled (this feature is disabled by default). The auto-decrypt feature now supports signed/encrypted emails with Exchange 2003/2007. When a signed and encrypted email arrives in the user’s Inbox, a decrypted version of the email is saved, the signature is preserved; the initial encrypted email is deleted only when the decrypted email is successfully created.

· The auto-decrypt feature no longer deletes encrypted emails when applied to emails in the “Deleted Items” folder (new behavior).

· The auto-decrypt feature now supports encrypted emails sent from Outlook Web Access (new behavior).

· The auto-contact feature is improved to prevent PIN prompts that appear without the user requesting any card activity.

· The uninstallation of the ActivClient Outlook usability enhancements is improved to prevent errors after uninstallation on Outlook 2007.

· In some specific configurations, users intermittently see an “Accrdsub.exe” error when they remove the card for screen lock. This problem is now fixed.

· This fix improves the quality of the ActivClient CSP and guarantees that the communication with the card is closed properly after using the CSP. The previous implementation led to a variety of symptoms (for example, issues with roaming profiles with Citrix and Terminal Server, loss of communication with card after using Outlook Web Access). These problems are now fixed.

· NOTE: This fix leads to a new limitation when using the Remote Desktop Connection 6.0 on Windows XP (no issue on Windows Vista): users see a username / password prompt before they see the smart card PIN prompt.

· This issue is documented in a Microsoft knowledge base article: http://support.microsoft.com/kb/941641, which also describes a workaround (editing the .rdp configuration file on user workstations).

· Another workaround is available that is easier to deploy as it is focused on Terminal Server. It is described in the Microsoft knowledge base article: http://support.microsoft.com/kb/895433. On a Windows Server 2003 with Terminal Server, set the following registry key to 0: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\AuthenticationLevelOverride (DWORD); this change will avoid the local authentication on the user workstation and the associated password prompt.

· This issue is fixed with Remote Desktop Protocol 6.1 that is included in the Remote Desktop Connection update available in Windows XP SP3.

· ActivClient User Console now displays the “Subject Directory Attributes” (defined in X.509 v3) including the “Country of Citizenship” if present among the certificate attributes.

· The report produced by the Advanced Diagnostics tool no longer includes “My personal information” for CAC cards, in order to preserve the privacy of this information.

· Fixes an issue around the “Change PIN at first use” feature, which caused the “Change PIN” prompt to appear multiple times.

· PKCS#11 API: C_GetTokenInfo now reports ulFreePublicMemory, ulFreePrivateMemory, ulTotalPublicMemory and ulTotalPrivateMemory.

· PKCS#11 API: CKA_SUBJECT is now retrieved from the certificate Subject attribute if it is not present on the card itself.

· Support for issuance of Gemalto PIV cards / applets with ActivID CMS.

· Fixes issue around smart cards not locking when submitting incorrect PINs with Entrust Security Manager Admin 7.1 (ActivClient PKCS#11 library for Entrust).

2.3 What’s New in ActivClient 6.1 Service Pack 1

ActivClient 6.1 Service Pack 1 provides the following improvements compared to ActivClient 6.1.

Support for PIV extensions (also known as PIV+):

· Applies to smart cards with ActivIdentity 2.6.2a applets configured for PIV+.

· One-Time Password (OTP) functionality and additional PKI certificates are now available in ActivClient in addition to standard PIV credentials.

· The PIV credentials are supported in ActivClient using standard PIV policies (for example, the PIN complies with the PIV PIN policies). The “extended” credentials (OTP and additional PKI) are supported in ActivClient based on the card profile (for example, access rights for the extra certificates depend on the card profile).

· Compatible with ActivID CMS (offering card management services) and 4TRESS Authentication Server or 4TRESS AAA Server for Remote Access (offering OTP authentication services).

Support for ActivKey Display v2 in connected mode:

· When ActivKey Display is connected, ActivClient can generate One-Time Passwords on the device; this is the same “credential” as displayed on the LCD when ActivKey Display is used in offline mode. OTP generation is not PIN-protected, but a server-based PIN may be used.

· When ActivKey Display is connected, ActivClient can use it to store / retrieve the static credentials for a Windows logon (username, password and domain); this credential is PIN protected. This feature is compatible with ActivIdentity Smart Card Password Login 1.5.

· When ActivKey Display is connected, configured with an optional SIM module, then ActivClient will use the SIM module for all credentials except for the OTP which is still managed directly in the ActivKey Display (same credential as displayed on the LCD).

Minor improvements:

· Automatic start of the PIN Initialization Tool when a non-initialized or blank card is inserted. Note: The automatic start depends on the setting "Display New card on Card Insertion"; it is disabled by default.

· PIN Initialization Tool modularity for One Time Password (OTP)-based cards. A new configuration option is added to prevent resetting cards that contain OTP credentials, while allowing usage of the PIN Initialization Tool for other cards. This new configuration option is not visible in the Advanced Configuration Manager. The associated registry key is:
HKLM\Software\ActivCard\ActivClient\PINInitTool\AllowSKIReset (DWORD)
“1” means Yes; it is the default setting (same behavior as ActivClient 6.1, allowing to reset all cards),
“0” means No; it is a new behavior, allowing to reset cards except if they contain personalized OTP credentials.

· New ActivClient Agent icon used at startup. In ActivClient versions so far, the ActivClient Agent showed different icons in the Windows notification area to represent different states: card inserted, card active, reader without card, no reader. A new icon is added to present a “startup” state, when the ActivClient Agent is still loading and unresponsive to user actions.

· New configuration option for “unattended smart card” notification. This notification warns users if their smart card is still inserted in the smart card reader upon log off or screen lock. You may configure ActivClient to notify users upon log off and screen lock (default behavior), upon log off only (new behavior in Service Pack 1) or never. This new configuration option is visible in the Advanced Configuration Manager in the Notification Management section, under the entry “Display Unattended Smart Card Alert”. The associated registry key is:
HKEY_LOCAL_MACHINE\SOFTWARE\ActivCard\ActivClient\Notification\SmartCardPresenceWarning\Enable (DWORD)
“0” means “Never”,
“1” means “At log off and screen lock” (default),
“2” means “Only at log off”.

· Improved behavior for the “unattended smart card notification” if enabled for screen lock. Starting with Service Pack 1, removing the smart card interrupts the notification, which allows users to unlock the screen without clicking the “Continue what I was doing” button.

· Starting with ActivClient 6.1 Service Pack 1, the Advanced Configuration Manager is only available to users with local administrative privileges. Users who want to activate log generation may do so from the ActivClient User Console, using Tools – Advanced – Log File Options…

· In ActivClient 6.1, the User Console allows users to “temporary disable the default certificate automatic selection” (via a button in the Tasks area). When this option is selected, the card behaves as if there were no default certificate until the card is removed from the reader. Starting with Service Pack 1, the feature has been removed from the User Console and is replaced by a global configuration option. This new option allows a user with an enrollment agent certificate to download certificates from Microsoft Certificate Authorities, on the “Enrollment on behalf another user” web pages. This new configuration option is visible in the Advanced Configuration Manager in the Certificate Availability section, under the entry “Allow certificate enrollment on behalf of another user”. The associated registry key is:
\HKEY_LOCAL_MACHINE\SOFTWARE\ActivCard\ActivClient\CSP\DisableDefaultCertSelection (DWORD)
“0” means “No” (default),
“1” means “Yes”.

· In the ActivClient User Console and Advanced Diagnostics, the “Serial Number” field is replaced by a “Unique Identifier” field, showing one or several values as needed (CUID, IIN, CIN, etc), depending on the inserted device.

· When an Entrust profile is downloaded (via PKCS#11) on the card with Entrust Desktop Solution or Entrust toolkit, ActivClient 6.1 selects, during profile download, the “signature certificate” as default certificate without checking if this certificate is compatible with Windows login. Starting with Service Pack 1, ActivClient does not flag such a certificate as “default certificate”.

· The algorithm used by ActivClient to automatically select the “default” certificate for smart card logon to Windows XP (algorithm used when there is no “default” certificate set on the card) has been improved to handle additional scenarios. For example, it will first select a certificate that has the Windows Logon attributes (Extended Key Usage and UPN), and only later default to a “signature” certificate if no logon certificate is found.

· When ActivClient 6.1 is configured with “Prefer GSC-IS over PIV End Point” set to Yes (the default in the CAC edition), then ActivClient does not expose the PIV credentials of some PIV cards. Starting with Service Pack 1, PIV credentials are exposed for all PIV cards except for the DOD Common Access Cards that comply with both GSC-IS and PIV (in which case the GSC-IS credentials are exposed instead).

New environments:

· Support for the Giesecke & Devrient SmartCafe Expert 72K DI v3.2

· Support for the Giesecke & Devrient SmartCafe Expert 144K DI v3.2, including support for a Standalone / Mini profile in the PIN Initialization Tool.

· Support for a Standalone / Mini profile in the PIN Initialization Tool for the Oberthur ID-One Cosmo 64K 5.4 (card already supported in ActivClient 6.1).

Bug fixes and minor enhancements:

The following is a list of ActivClient issues fixed in this release, and the ActivIdentity hot fix references (if a hot fix has been previously released).

Fixes from ActivClient 6.1 (FIXS0706010, FIXS0707004, FIXS0708009, FIXS0709005, FIXS0709031, FIXS0709042, FIXS0710024, FIXS0708010, FIXS0709006, FIXS0709032, FIXS0709043, FIXS0710025):

· User Console now prompts for the PIN when a user tries to access for the second time some CAC / PIV Personal Data when “PIN caching timeout” has expired.

· Avoid rare crash of User Console when double-clicking on One-Time Passwords folder.

· When the "Number of minutes before PIN cache is cleared" is set to "0", the Windows PKI logon is now functional.

· It is now possible to initialize Cryptoflex 16K cards with the ActivClient PKCS#11 library.

· It is now possible to initialize Java Cards with the ActivClient PKCS#11 library.

· It is now possible to initialize devices with the PIN Initialization Tool when called from Internet Explorer with the ActivClient CSP.

· It is now possible to initialize devices from the ActivIdentity Smart Card Password Login product.

· Allow multiple issuances on the same workstation with ActivID CMS 4.0 and Microsoft CA.

· Fixes to address Entrust-Ready test cases for Entrust Entelligence Security Provider.

· Card auto-registration now works properly on Windows Server 2003.

· In some cases, the Microsoft Outlook Usability Enhancements options were not taken into account: default settings were applied instead. The settings are now properly applied.

· Avoid rare case of deletion of email when the Microsoft Outlook Usability Enhancements are configured to “automatically decrypt encrypted emails”.

· When using the Check Point SAA module, the Check Point client is now notified of card and reader removal operations.

· Diagnostics report improvements on operating system-relevant information.

· Diagnostics tool now reports correct information when ActivClient is configured for per-process PIN caching.

· Diagnostics tool: ability to hide Email button from a configuration in the Advanced Configuration Manager.

· BSI API: Adding support for gscXsiUtilGetIdentifier.

· BSI API: it is now possible to retrieve the applet version with GetContainerProperties.

· PKCS#11 API: Fixed issue with C_UnlockPIN.

· PKCS#11 API: Fixed issue with C_Verify for RSA keys without PUBLIC_KEY_ATTRIBUTE.

· PIV API: Fixed issue with SignData function.

· Avoid rare crash of accrdsub.exe process at workstation unlock.

· In some environments, the “Get One-Time Password” function of the ActivClient Agent failed to copy the OTP on the clipboard; the issue is now fixed.

· When installing ActivClient 6.1 hot fixes (pre SP1), some customized configuration settings revert to the default value; the issue is now fixed.

Fixes from ActivClient 6.0 (FIXS0705012, FIXS0706001, FIXS0706003, FIXS0706008, FIXS0707012, FIXS0707023, FIXS0707026, FIXS0708017, FIXS0709000, FIXS0710005, FIXS0711002):

· When “ActivClient Enter PIN” window is displayed in front of a browser, it may activate a link on a web page; this issue is now fixed.

· Fixed issue in ActivClient CSP visible when custom application switches between two connected smart cards.

· Fixed issue in ActivClient CSP visible when custom application uses AcquireContext with a container name different than the default one, following an AcquireContext with no container name.

· When a card is used for PKI login, ensure that all card connections are closed after the PKI logon.

· BSI API: Fixed issue with accessing optional applets on CAC v1 cards.

· Using CAC V2 cards, the default certificate is now always the signature certificate.

· Avoid default certificate to be changed during PKI logon/unlock, causing Invalid Parameter Error during Windows PKI Logon.

· When ActivClient and SecureLogin SSO are installed together, a rare hang may happen after the Windows smart card PKI logon. This issue is now fixed.

· Avoid Entrust error -594 (Entrust profile error) when several key pair updates have been performed with ActivCard Gold 2.3, the PC is upgraded to ActivClient, and no apf file is present.

· Fixing cache computation issue to prevent invalid cache selection on some computers (issue visible during an Entrust key recovery process).

· Avoid potential crash when issuing smart card with protocol T=1.

· Allow re-issuance of customer-specific profile with ActivID CMS 3.8.

· Allow installing hot-fixes if Advanced Configuration Manager is not installed.

Fixes from ActivClient 5.4 (FIXS0706005, FIXS0707014, FIXS0710008):

· Avoid potential hang when unlocking smart card with challenge/response in the User Console.

· Adding new standalone profile support mixed 1024 & 2048 PKI key sizes.

· Fix issue with OTP negative counter, and incorrect characters in the OTP.

2.4 What’s New in ActivClient 6.1 and ActivClient CAC 6.1

ActivClient 6.1 provides the following improvements compared to ActivClient 6.0.

Support for Windows Vista (all editions) This also includes support for new smart card services available with the Windows Vista operating system, such as:

· Support for Internet Explorer 7 in protected mode,

· Support for Encrypted File System (EFS),

· Support for Fast User Switching with smart card PKI login,

· Support for User Account Control (UAC) wherever applicable.

Support for 64-bit versions of Windows: Windows Vista (all editions) and Windows Server 2003:

· This functionality is provided via a separate installer package, dedicated to the 64-bit operating systems.

· 32-bit wrappers are also available for the ActivClient APIs, for compatibility with 32-bit applications running on the 64-bit operating system.

· Entrust Desktop Solution support module not available in 64-bit edition,

· Outlook usability enhancements not available in 64-bit edition,

· Check Point SAA support module not available in 64-bit edition,

· Netscape, Mozilla, Firefox and Thunderbird are supported with the ActivClient PKCS#11 library (64- or 32-bit). However, ActivClient 64-bit does not automatically register the PKCS#11 library to these applications; a manual registration is required.

Support for Cryptoflex cards (8K, 16K and ActivKey v1) previously deployed with ActivCard Gold 2.3.1:

· The digital certificates (PKI) and one-time password (OTP) credentials are supported transparently in ActivClient.

· Static credentials are not supported by ActivClient. Note that SecureLogin SSO provides Single Sign On functionality and is compatible with ActivClient, including with Cryptoflex cards.

· Note: a utility is available in the ActivClient Resource Kit to retrieve static credentials stored on an ActivCard Gold smart card.

Support for new Java Card configurations:

· Support for the U.S. Department of Defense Common Access Card (CAC) configured with PIV End-Point. ActivClient can be configured to use these CAC cards either in a GSC-IS 2.1 compliant mode or in a PIV compliant mode. The ActivClient CAC package enables by default the GSC-IS compliant mode; the ActivClient package enables by default the PIV compliant mode.

· Support for the Card Identification Number / Issuer Identification Number (CIN/IIN), compliant with GlobalPlatform 2.1.1 as a unique smart card identifier. For smart cards that don’t have a CIN, the CUID is still supported by ActivClient.

One-Time Password improvements:

· Ability to generate a One-Time Password (OTP) via the ActivClient Agent, icon in the Windows system tray.

· Support for the Check Point SAA API, providing an advanced level of integration with Check Point VPN-1 SecureClient.

Packaging and installation improvements:

· Localizable product: ActivClient 6.1 is now fully localizable. A Localization Kit is available – please contact ActivIdentity for more information.

· Reduced footprint: The installer package for ActivClient 6.1 is less than 10 MB.

· Device drivers (for smart card readers and ActivKey) are no longer included in the ActivClient installer package. Device drivers are available directly in Windows, via Windows Update, and using the ActivIdentity Device Installer (a separate installer package included in the ActivClient CD image). Note that in the case of upgrades from previous ActivClient / ActivCard Gold versions including device drivers, the ActivClient installer offers the user to install drivers with the ActivIdentity Device Installer, to guarantee a smooth upgrade.

Support for new environments:

· ActivIdentity products: ActivID CMS 4.0 SP3, SecureLogin SSO 6.1, 4Tress AAA Server 6.5

· Operating systems: Windows Vista x86, Windows Vista x64, Windows Server 2003 SP2 x86, Windows Server 2003 SP2 x64

· Remote access (with PKI): Check Point VPN-1 SecuRemote / SecureClient NG AI R56 HFA-03 and NGX R60 HFA-01, Windows Vista dialer and VPN client, Nortel Contivity VPN for Windows v6.01_102

· Check Point SAA integration (with OTP): Check Point VPN-1 SecuRemote / SecureClient NG AI R56 HFA-03 and NGX R60 HFA-01

· Browsers: Internet Explorer 7 for Windows Vista, Netscape 8, Firefox 2

· Email clients: Microsoft Outlook 2007, Netscape 8

· Citrix: Citrix Presentation Server 4 (x64), Citrix Presentation Server Client v10.0

· Windows Terminal Server and Remote Desktop: Terminal Server included in Windows Server 2003 x64, Remote Desktop Connection software on Windows Vista (x86 and x64)

· Other PKI-enabled clients: Entrust Entelligence Security Provider 8.0, Microsoft Office 2007

· Smart Cards: Gemalto Cyberflex Access 128 K, Oberthur CosmopolIC ID-One 64K v5.4, Sagem PIV Applet version 01 on J-IDMark 64 PIV (card used in PIV mode), StepNexus PIV Application v4.2.1 on Keycorp MULTOS 64K Smart Card (card used in PIV mode), Cryptoflex 8K and 16K and ActivKey v1 (deployed previously with ActivCard Gold 2.3.1)

· Support for new cards in the PIN Initialization Tool (configuration where the tool loads the applets on the card): Gemplus GemCombi'Xpresso R4 E72 PK, Giesecke & Devrient SmartCafe Expert 64K FIPS-1024

· Support for Windows Vista (x86 and x64) with the following ActivIdentity Devices: ActivIdentity USB Reader v2 and v3, ActivIdentity PCMCIA Reader v2, ActivKey v1 and v2, ActivKey SIM. Note that the ActivIdentity PCMCIA Reader v1 and Serial Reader (aka SmartReader) are NOT supported on Windows Vista

· Software distribution: Microsoft SMS 2003 SP2

Minor improvements:

· The Diagnostics Tool reports the OTP information such as counter and clock, for easier troubleshooting.

· The user interface of the Diagnostics Tool and Advanced Configuration Manager has been updated to use a tree-based approach, providing increased usability and modularity.

· Certificate thumbprint and thumbprint algorithm are now displayed in the ActivClient User Console.

· If an incorrect PIN is entered, ActivClient now reports how many PIN attempts are left before the card locks.

· User Console now displays extended ASCII characters when used in certificate attributes.

Two ActivClient 6.1 packages are available: ActivClient 6.1 and ActivClient CAC 6.1. In the CAC edition:

· Installation and trust of the DoD Root certificates.

· Certificate and card expiration notification is enabled by default

· The configuration option “Prefer GSC-IS over PIV EndPoint” is enabled (it is disabled in ActivClient)

· The documentation is different in each edition to reflect the feature set of each edition.

Bug fixes and minor enhancements:

The following is a list of ActivClient issues fixed in this release, followed by the ActivIdentity hot fix reference (if a hot fix has been previously released).

Fixes from ActivClient 6.0 (FIXS0611000; FIXS0612000; FIXS0612002; FIXS0612006; FIXS0701000; FIXS0701002; FIXS0701008; FIXS0702003; FIXS0702007; FIXS0702008; FIXS0702013; FIXS0702014; FIXS0702015; FIXS0703000; FIXS0703012; FIXS0703013; FIXS0703014; FIXS0704009, FIXS0704010):

· Outlook enhancements: No longer prevent reading read-only emails in Public Folders.

· ACoutCom.dll is digitally signed to avoid Outlook pop-up warnings.

· No longer try to retrieve BSI information from cache.

· Correctly manage XAUTH or PIN access right.

· Better error management if default certificate cannot be read from registry.

· No more store card discovery information if communication error occurred.

· Fix some issues for definition of default container on CAC cards.

· Allow recognizing the default certificate after post-issuance.

· Avoid hang with contactless reader.

· Avoid infinite “Please Wait” when using contactless reader.

· Avoid useless entries in security event viewer

· Improvements to guarantee that the PIN is not available via memory dump.

· Demographic data are no longer stored in memory cache.

· PIN obfuscation is now enabled by default

· PIN obfuscation no longer produces errors in Windows Event Viewer.

· Fix around the ActivClient Enter PIN dialog box that did not appear in specific use cases.

· Settings are no longer reset after installing a hot-fix.

· Standard Profile now supports 16 PKI.

· “About” dialog box displays correct version number, even when hot fixes are installed.

· Avoid unexpected end of smartcard agent if no software is installed to read RTF files.

· Added access rights check on Demographic applets to verify if card is CAC.

· PKCS11 v2.11: CKF_PROTECTED_AUTHENTICATION_PATH is now configurable.

· CSP: GetKeyParam (KP_KEYLEN) is now supported.

· The ‘Import Certificates’ menu in the User Console is no longer grayed out in a Terminal Server or Citrix configuration.

· Compatibility fix for ActivClient Bio Add-On 1.5.

· Support for Gemalto PIV card.

· Support for Gemalto Cyberflex Access 128K

Fixes from ActivClient Mini 5.5 (FIXS0610017; FIXS0611010):

· Support of Giesecke and Devrient SmartCafe Expert 64K FIPS-1024 card. This card can be initialized.

· Add the ability for ACOMX to detect if the inserted card has the access right “Never Unlock PIN”.

· Adding traces for ACOMX and BSI APIs.

Fixes from ActivClient 5.4 (FIXS0703002; FIXS0703001; FIXS0702016; FIXS0612008; FIXS0612007; FIXS0611007; FIXS0611006; FIXS0611002; FIXS0611001; FIXS0610032; FIXS0610031; FIXS0610020; FIXS0610019):

· PKCS11: Fixed crash in C_GetSlotList if the card is removed/inserted/removed.

· Correction regression: crash on change PIN if PIN has already been prompted.

· Avoid crash of Outlook if a contact does not contain an email address.

· Add PIV transitional Data Model (0x10) support.

· Support of the Giesecke and Devrient Tiger FIPS 1024 bits card.

· ActivClient and Kiosk interoperability fix: middleware no longer crashes when card is removed during C_Initialize call.

Fixes from ActivClient 5.3.1 (FIXS0703011; FIXS0701004; FIXS0611014; FIXS0611003):

· CSP: Returns SILENT_CONTEXT error instead of displaying Select Card dialog box if workstation is locked.

· Correctly manage event when reader is plugged with a card.

Fixes from ActivCard Gold 2.3.1 SP1 (FIXS0703006):

· No more incorrect characters in OTP if counter is higher than 0x80000000.

2.5 What’s New in ActivClient PKI Only 6.0 and ActivClient for CAC – PKI Only 6.0

ActivClient PKI Only 6.0 is a superset of ActivClient Mini. As such, all the improvements of ActivClient Mini 5.5 are also present in ActivClient PKI Only 6.0.

ActivClient PKI Only 6.0 provides the following improvements:

· PIV Endpoint card support (tested at the time of release with the Oberthur ID-One Cosmo 64 v5 and the Gemalto GemCombi'Xpresso R4 E72 PK)

· PIV API support

· FIPS 201 certified by NIST

· DoD PIV Transitional card support

· Support for PIV Demographic Data in My Personal Info

· Support for the DoD Middleware requirements v3.0

· Support for the new 64 CAC cards

· Support for PIV Endpoint and Transitional cards in the ActivClient Card auto-register

· Microsoft Outlook Enhancement Improvements

· PIN Initialization tool can now initialize standalone cards (S1 / S5 / O5, etc…)

· New end-user notification system (when no smart card reader is connected, when the smart card or the certificates are about to expire or when the smart card is left in the smart card reader while disconnecting from the workstation or when the screen is locked)

ActivClient for CAC – PKI Only 6.0 is very similar to ActivClient PKI Only 6.0. In the CAC edition:

· Installation and trust of the DoD Root certificates.

· Smart card reader drivers are not installed, to comply with the US DoD middleware requirement specification v3.0

· Certificate and card expiration notification is turn on by default

· The documentation is different in each edition to reflect the feature set of each edition.

Updated environment:

· ActivIdentity CMS 4.0 Support

· ActivIdentity SecureLogin SSO 6.0 SP1 Support

· Support for new web browsers (Internet Explorer 7 Beta 3, Firefox 1.7.3, Mozilla 1.7.3, Netscape 7.1 and 4.76)

· Support for Thunderbird 1.5.0.4

· Support for Entrust Desktop 7.1 and Entrust Java Toolkit 7.1

· Support for Windows 2003 R2

· Support for Citrix Presentation Server Client Packager - Version 9.200

New smart cards:

· Smart cards with PIV application

· ActivIdentity USB Key SIM V3

New smart card readers:

· Omnikey CardMan 5321 RFID (contact and contactless)

· SCM SDI010 (contact and contactless)

· SCM SCR3311

· SCM SCR3340 (ExpressCard format)

· Precise 200 Series bio reader

· Precise 100XS swipe reader

Upgrades:

ActivClient 6.0 setup supports upgrades from a previous version of ActivClient. The ActivClient setup automatically detects the previous version and replaces it during install. Unless your setup was customized, previous settings will be lost. ActivClient will apply typical settings instead. With ActivClient, you can upgrade from:

· ActivCard Gold 2.2 CAC (and any SP)

· ActivCard Gold 2.3.1 (any SP)

· ActivCard Gold for CAC - PKI Only 3.0 (any FP)

· ActivCard ActivClient 5.4 PKI Only

· ActivClient 5.5 Mini

For all other versions not mentioned in the above list, you must uninstall them prior to installing ActivClient.

Bug fixes and minor enhancements:

The following is a list of ActivClient issues fixed in this release, followed by the ActivCard hot fix reference (if a hot fix has been previously released).

Fixes from ActivClient 6.0 BN 50 (FIXS0610018, FIXS0610030, FIXS0610038):

· Adding new custom card profiles support (201100000000000000000052, 2011000000000000000000C1)

· Adding support for Giesecke & Devrient card with Mini Profile

· Adding PIV API Java Wrapper

· Improved support of PIV End Point cards (including support of SHA256 signed buffers)

· Improving interoperability with AAA Server (standalone initialization support)

· Improving interoperability with ActivIdentity Kiosk

· Improving interoperability with ActivIdentity SCPL

· Improving interoperability with ActivIdentity SecureLogin SSO

· Fix acevent service hang for Citrix on Windows 2000

· Fix ActivKey v2 and ActivKey SIM driver issue (compatibility with anti-virus)

· Fix SmartReader driver install issue

Note: ActivClient 6.0 is available both as a MSI (for new installations) and as a MSP (for upgrades from BN50).

Fixes from ActivClient Mini 5.5 (FIXS0609002, FIXS0607011, FIXS0606005):

· New configuration for the polling period of the smart card reader plug/unplug detection.

· Resolve an issue that prevented booting in Safe Mode.

· Add support of Gemplus GemXpresso 64k R4 E72 PK card. Add support for profile 2010000000000000000000BF.

Fixes from ActivClient PKI Only 5.4 (FIXS0506003, FIXS0506009, FIXS0506013, FIXS0506030, FIXS0509008, FIXS0509015, FIXS0510011, FIXS0510013, FIXS0510017, FIXS0510020, FIXS0511005, FIXS0512005, FIXS0512007, FIXS0512011, FIXS0512012, FIXS0601003, FIXS0601004, FIXS0601006, FIXS0601007, FIXS0601011, FIXS0601012, FIXS0601016, FIXS0601017, FIXS0601020, FIXS0602001, FIXS0602004, FIXS0602006, FIXS0602007, FIXS0602009, FIXS0602010, FIXS0602012, FIXS0602019, FIXS0602020, FIXS0603001, FIXS0603003, FIXS0603009, FIXS0603028, FIXS0603034, FIXS0603037, FIXS0604001, FIXS0604009, FIXS0605000, FIXS0605011, FIXS0606002, FIXS0606004, FIXS0606008, FIXS0606012, FIXS0607009, FIXS0607017, FIXS0607021, FIXS0608001, FIXS0608003, FIXS0608004, FIXS0608006, FIXS0608008, FIXS0608010, FIXS0608017, FIXS0609008, FIXS0609011, FIXS0609014):

· PKCS#11 and applets V1: increased performances when returning the amount of free space on the smart card

· PKCS#11 v2.11: Added support unplugging the smart card reader in C_WaitForSlotEvent function.

· Outlook Enhancement: Now uses email address instead of name for searching contact.

· CSP: Returns SILENT_CONTEXT error instead of displaying Select Card dialog box if workstation is locked.

· Modified to use the Signing certificate for Windows PKI logon with V2 CAC cards.

· Fixed an ActivClient hang with PKCS#11 when used by SecureLogin SSO.

· Improved performances with PKCS#111 with SecureLogin SSO.

· PKCS#11: solved a crash if the PKCS#11 DLL is unloaded before the application calls C_Finalize.

· PKCS#11 2.01: Avoid BSOD with continuous Smartcard Insertion/Removal at GINA (AA Client).

· CAC V1: User console correctly displays Personal Info even if some demographic applets are missing.

· Always free data cache on card removal. Certificate data are correctly stored in data cache. Improve PKI unlock performance.

· Applets V1: the default certificate flag is no longer stored in data cache to allow the end user changing this value.

· Solved blue screen on ActivKey removal in some rare cases

· Added capacity to lock down the smart card readers that can be used by ActivClient (AuthorizedReadersList feature) .

· Resolved unresponsiveness system during screen PKI unlock in some rare cases.

· No longer need to re-install all USB drivers after uninstalling the ActivIdentity USB Reader V3.

· PKCS#11: Private keys are no more incorrectly reported as exportable.

· Static unlock code is now correct after reset and re-initializing a card with difficulty to perform dynamic unlock.

· Outlook Usability Enhancements: Now retrieves the sender email address from the certificate if available.

· PKCS#11 2.11: Add limited support for CKU_SO.

· Change PIN at first use is now displayed after a Windows PKI unlock.

· Ensure that the PIN code does not stay in clear in memory.

· Added the capacity to prevent the user to reuse the current PIN code when performing a Change PIN operation.

· Added support for the Windows+L shortcut to lock workstation on XP.

· Solved a crash on PKCS#11 when the smart card is removed from the reader during a C_Finalize call.

· Solved a 30 seconds delay on boot.

· The ActivClient CSP now uses DER encoding for the CKA_SERIAL_NUMBER as required by PKCS#11 for X509 certificates.

· Added the option to prevent the user to cancel the Change PIN After First Use operation (DisableCancelChangePINatFirstUse).

· Added the option to send the PIN to the smart card even if the PIN is smaller than the Minimum PIN Length (DisablePINPolicyVerificationBeforePINCheck).

· Improved SCPL performances at OS boot time.

· SecureLogin SSO: Retrieve the Trinity windows credentials stored on the smart card for migration.

· Added a confirmation message after a successful change PIN on first use after a Windows PKI logon.

· PKCS#11: Set the CKF_PROTECTED_AUTHENTICATION_PATH flag to the flags of TokenInfo.

· PKCS#11 SDK: Allow signing with CKM_RSA_X_509 mechanism.

· Added support for Card Profile 2011000000000000000000B8 (This may require Entrust Entelligence Desktop Manager 7.0 patch 97257).

· Added configuration to turn off the certificate pre-caching before Windows login.

· SDK: PKCS#11 2.11: C_Login can be called with a NULL PIN and will display the ActivClient Enter PIN dialog.

· CAC Profile V2: The ActivClient User Console now displays correctly the name of the encryption certificate and signature certificate.

· Added a configuration to turn off the smart card auto-registration (This prevents PC/SC from taking 100% CPU for some type of cards).

· Added support for use of both synchronous/asynchronous OTP with the same smart card.

· GscBsiGcReadValue now returns the value zero instead of UNKNOWN_ERROR error if value length is null.

· Lock the workstation on card removal if card is used for PKI logon/unlock even in 'PIN per process' mode.

· Added support for Card Profile 2010000000000000000000BE. Add support for the Axalto Cyberflex Access 64K v2c smart card.

· Added support for the Card Profile 201100000000000000000038.

· OTP logins are not displayed anymore if the option to display the logins is disabled.

· The smart card is now logged out if the Change PIN On First Use dialog box is cancelled after a Windows PKI logon.

· Added support for the Oberthur CosmopolIC 64K V5.2 Fast ATR. Add support of Card Profile 2011000000000000000000A9.

· SDK: PKCS#11 2.11 Fixed an issue when writing a certificate to the smart card using PKCS#11.

· PIN per process configuration: PIN is now prompted even if the Screen Saver password is turned on.

· PIN per process configuration: Entering a wrong PIN in a PKCS#11 application no longer affects other PKCS#11 applications.

· Fixed an issue that made the system to be unresponsive during screen unlock in some rare cases.

· Outlook Enhancement: Auto Decrypt feature no longer removes the signature from the e-mail.

Fixes from ActivClient PKI Only 5.3.1 (including FIXS0607014, FIXS0606015 and FIXS0510013):

· Solves a 2 minutes timeout during workstation unlock when the ActivClient User Console is opened with a smartcard containing PIN protected OTP information.

· Allows download of more than one smart card login or enrollment agent certificate on the user smart card (Before issuing the second certificate on the same smart card, the user must set the option 'Temporary use no default certificate' in the 'My Certificate Tasks' in ActivClient User Console. This behavior is only valid while the end user does not set a default certificate manually, do not remove his card, logout or restart the PC.).

· Avoid crash of the Advanced Diagnostics Tools, User Console/About, Smart Card Agent/About when too many Windows hot-fixes are installed.

· V2 Applet Performance Improvements.

· Data cache re-initialization no longer prompts for the PIN code if PIN code is still present in PIN cache.

· The C_Logout function no longer disables the PIN status for other processes when using the PIN Caching 'per process mode'.

· Entering an incorrect PIN code in a PKCS#11 application no longer affects other PKCS#11 applications.

· Improved the Windows PKI unlock performances after a manual unlock.

· Improved the auto configuration of the default certificate.

· Removed deadlocks when inserting a locked card to perform a Windows PKI unlock.

· Added new feature: periodic polling of smartcard reader presence.

· Quitting an application without disconnecting from the smart card no longer prevents other application to work properly.

· PKCS#11: Opening a second session after a smart card removal/insertion no longer reset the first session state.

3. KNOWN PROBLEMS, SYSTEM REQUIREMENTS AND LIMITATIONS

This section describes issues known by ActivIdentity as of the release date, but which have not been addressed in the current product version. When possible, fixes and workarounds are suggested. This section also describes known limitations of this release.

3.1 Supported Platforms

The following operating systems are supported by ActivClient 32-bit: Microsoft Windows 2000 SP4, Windows XP Professional (SP1, SP2 and SP3), Windows XP Home Edition (SP2 and SP3), Windows Vista (no Service Pack, SP1 and SP2), Windows 7, Windows Server 2003 (SP1, R2 and SP2) and Windows Server 2008 (no Service Pack, SP2 and R2).

The following operating systems are supported by the ActivClient 64-bit: Windows Vista (no Service Pack, SP1 and SP2), Windows 7, Windows 2003 Server (SP1, R2 and SP2) and Windows Server 2008 (no Service Pack, SP2 and R2).

The following operating systems are NOT supported: Windows XP x64, any IA64 edition of Windows, Windows Me, Windows NT4, Windows XP Tablet PC Edition, Windows XP Media Center Edition, Microsoft Windows 98 First and Second Edition and any prior Windows version. On Windows XP (Pro and Home Edition), Fast User Switching is not supported.

3.2 Installation and Uninstallation

Before you install/uninstall/upgrade ActivClient, you must remove your smart card from the smart card reader.

Windows local administrative privileges or domain administrative privileges are required to install/uninstall ActivClient.

Close all opened applications before you install or uninstall ActivClient.

Do not install another application while using the ActivClient setup.

3.2.1. Installing

If Microsoft Script Debugger is installed on your workstation, a Microsoft Script Debugger error message may appear during the ActivClient setup. Ignore this error message.

Running the setup from a .zip file is not supported. First unzip the installation files into a temporary folder and then launch the setup from that folder.

In some cases, when you copy the ActivClient installation files to a disk with a FAT32 file system, you may see a “Confirm Stream Loss” error message. When asked if you want to proceed, click Yes and continue the installation.

For the best visual experience on Windows 2000 while using the PIN Change Tool and the PIN Initialization Tool, it is suggested to install Microsoft GDI+. Otherwise the background bitmap will not be displayed in those tools. Windows XP and Windows Server 2003 users do not need to install GDI+ as it is already included in those versions of Windows. Microsoft GDI+ is freely available from: http://www.microsoft.com/downloads/details.aspx?FamilyID=6a63ab9c-df12-4d41-933c-be590feaa05a&DisplayLang=en

If you copy the CD image on a network drive, the welcome page (start.exe) will not work if the path is longer than 113 characters. Use directly the Product\Setup.exe instead.

On Windows Vista (and later Windows versions), when you run the ActivClient installer, you may see a filename such as 226ac5.msi – this name is automatically generated and is the internal InstallShield file name for the ActivClient MSI.

On Windows Server 2008 – Server Core edition, install ActivClient from the command line using the msiexec command. As Internet Explorer is not present on the Server Core edition, ActivClient components related to Internet Explorer will not work.

If you try to install the ActivIdentity Authentication Client 2.0 on a workstation where ActivClient 6.2 is already installed, it will report that ActivClient is not installed. Use ActivIdentity Authentication Client 2.0.1 instead as it supports ActivClient 6.2. Also, make sure to install ActivIdentity Authentication Client AFTER ActivClient.

If you install ActivClient on an x64 platform, you need to reboot at the end of the setup.

3.2.2. Upgrading

When upgrading from ActivCard Gold (any versions), the password management features are no longer available.

When upgrading from ActivCard Gold (any versions) and using an ActivIdentity smart card reader, the user must be logged on to Windows using a static password he manually typed. If this is not the case, the Windows screen lock may be triggered during the upgrade of the ActivIdentity smart card reader drivers and the user will not be able to use his smart card until the upgrade is completed. This issue appears if you upgrade by using directly the ActivClient MSI; it does not appear if you use the recommended setup.exe.

When upgrading from a previous ActivClient version, ActivClient will reuse the installation directory that was used in the initial installation. This does not apply to upgrades from ActivCard Gold.

When you install an ActivClient update (MSP file) on Windows Vista, you may see a message stating that the ActivClient Agent is running. Press OK to continue the installation.

When you install ActivClient 6.1 Service Pack 2 (MSP file) on Windows Vista, you will see a message stating that “an unidentified program wants access to your computer”. Authenticate to continue the installation.

3.2.3. Uninstalling

To uninstall the product, use the Add/Remove Programs in the Windows Control Panel. Do NOT delete DLLs or files manually. ActivClient uses shared libraries. Deleting libraries may lead to subsequent problems when a new version is installed.

Due to a Microsoft Windows Installer limitation, when adding a feature during the modify process, you may be prompted for the source media (that is, the CD-ROM, local or remote directory).

A very small number of registry keys (including user registry keys) may be left behind after you uninstall the software. This has no adverse effect on the behavior of the workstation or on a future re-installation process. See the ActivClient Administration Guide for more information.

On Windows Vista (and later Windows versions), if you choose to uninstall ActivClient, you will see a warning: "Don't run this program unless you know where it is from and you used it before" -- this is a Windows limitation for MSI-based installers. You can safely proceed with the uninstall.

3.2.4. Repairing

When repairing the installation, the default configuration is restored. Note: This may erase any change in the configuration, even configuration that was set by a customized setup or upgrade.

On Windows Vista (and later Windows versions), if you open Add/Remove Programs from the Windows Control Panel, the Repair button is not available for ActivClient. To access the repair feature, double click on the ActivClient entry – the installer starts, providing you with a Repair option.

3.2.5. Software Deployment with Microsoft SMS

If the user is logged on while a remote SMS installation of ActivClient is performed, the ActivClient Agent icon is not started automatically. The user can either perform a logout and then a logon or start the ActivClient Agent manually from the startup folder.

The ActivClient Agent icon is still active after a remote uninstall with SMS. You must log off and log on again for the uninstall to be completely effective. Use the install process to configure SMS so that it requests logoff/logon after package uninstallation.

When ActivClient is removed by SMS, it still appears in Add/Remove Programs in the Windows Control Panel. When you try to uninstall, an error message appears the first time, then the option disappears.

3.3 ActivClient PKI Services

3.3.1. Automatic Certificate Availability

Certificate availability options are only applicable to user certificates, not CA certificates.

If you use the ActivClient automatic certificate registration (which is enabled by default), we recommend that you disable the equivalent Windows certificate propagation feature. For some smart card configurations (such as the DOD Common Access Card, the US Government PIV, and cards issued by ActivID CMS), the ActivClient mechanism adds a “friendly name” (compared to the Windows method) which will be useful to identify certificates. To guarantee that the ActivClient mechanism registers the friendly name, the Windows mechanism should be disabled. To do so, on operating systems prior to Windows Vista, under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ set the ScCertProp registry value Name “Enabled” to "0". On operating systems starting with Windows Vista, disable the “Certificate Propagation” service.

On Windows Vista (and later Windows versions), some ActivClient services may start slowly, which will cause delay in the automatic certificate registration. This is due to user processes started in “BelowNormal” Priority on Windows Vista, to speed up services startup – this is a Microsoft Windows Vista design. Once all services are started, user processes such as the certificate registration return to “Normal” Priority and become responsive. The ActivClient Agent icon in the Windows notification area shows the ActivClient availability status.

The ActivClient “Remove certificates from Windows on logoff” option requires the card to still be inserted in the reader during the logoff operation. It is not compatible with "logoff on card removal".

3.3.2. Windows PKI Logon

If your smart card has been configured so that you are required to change your PIN code on first use, and if the first application you log on to is Windows PKI Logon, then you will immediately be prompted to change your PIN code after you have logged on.

If you insert a new smart card type (not supported by ActivClient by default) during Windows PKI logon, the following message appears:

"The card supplied drivers are not present on this system. Please try another card."

Remove the card and reinsert it. The card will then be automatically registered to the system for regular usage (if the system recognizes the card and the ActivIdentity applets supported by this version of ActivClient).

After a Windows PKI Login, when attempting to unlock a Locked workstation, and providing a wrong PIN code, instead of "Incorrect PIN", the message "Cannot unlock desktop and can be unlocked only by the user or administrator" is displayed. This message is displayed by Microsoft Windows.

If you enter too many incorrect PIN codes, the warning "Last Attempt" is not displayed during a Windows PKI login. This is due to Microsoft Windows calling the ActivClient CSP in silent mode.

In some limited use cases, when setting ActivClient smart card removal policy to “lock” or “log off” on smart card removal, the workstation may lock or log off even if the smart card removed has not been used for Windows PKI unlock or Windows PKI Logon.

The Windows PKI unlock workstation operation may be more lengthy on Windows XP SP2 than it is on Windows XP SP1. This is due to Microsoft Windows XP SP2 performing additional digital signatures with the smart card.

The ActivClient “card removal behavior” configuration should be set (enabled by default, set to “lock workstation”) and used instead of the equivalent Windows behavior. The ActivClient feature should especially be used on workstations where several smart cards may be inserted, to guarantee that only the removal of the card used to log on to Windows triggers the session lock. To disable the Windows feature, on operating systems prior to Windows Vista, use the Microsoft Group Policy MMC snap-in: Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options / Smart Card Removal Behavior must be set to “No action”. On operating systems starting with Windows Vista, disable the “Smart Card Removal Policy” service.

If you install ActivClient on a Citrix server, then the opposite configuration should be set (enabling the Windows feature, disabling the ActivClient feature) to provide a session disconnect on smart card removal. See the Citrix section for details.

If you enable both ActivClient “card removal behavior” and the equivalent Windows policy, and set them to different actions (one set to lock, one set to logoff), then unexpected behaviors may happen – both for interactive logon and also within Citrix and Terminal Server sessions.

To perform a Windows PKI logon with a Cryptoflex 8K, you must select a default certificate with the ActivClient User Console – the automatic certificate selection is not available due to the PIN-protected status of the certificates on this card.

The ActivClient “Enable performance logging for Windows PKI Smart Card Logon” option allows tracing detailed information during a Windows PKI logon operation. On Windows Vista, the smart card must have been inserted in the smart card reader right before the Windows PKI logon operation to have the PKI logon performance reported.

If you lock your smart card by entering several incorrect PIN codes, ActivClient reports the card as “locked”. However, if you attempt to login to Windows with this card, Windows will report this card as “blocked”; this is a Microsoft error message.

On Windows Vista (and later Windows versions), if you remove your smart card shortly after logging in to Windows with the card and if ActivClient is configured for screen lock on card removal, the screen may not lock; this is due to the fact that some ActivClient components are not started yet. The card removal triggers the screen lock when Windows Vista has finished loading the necessary ActivClient processes and assigned them a “Normal” priority.

3.3.3. Microsoft Outlook

Attempting to hit <Cancel> or to close the "Enter PIN" dialog when signing an email message will result in a dialog box appearing several times before the operation can be aborted.

After receiving a signed email message, in some cases, successively trying <cancel> on the PIN dialog box may trigger the message "Can't open this item. Your key set cannot be found by the underlying security system."

To decrypt an email with Outlook, you must install Microsoft Enhanced CSP on the computer. This update is sometimes referred to as "the 128-bit version of Microsoft Internet Explorer."

Outlook certificate operations (including the Outlook Usability Enhancements) do not function properly when the user certificates are not trusted. Make sure that the issuing CA’s are trusted by Microsoft CAPI.

3.3.4. Microsoft Outlook Usability Enhancements

The “Automatically add sender’s certificate to Outlook Contacts” feature prompts the user even if the certificate is already present.

When the option "Automatically add sender’s certificates to Outlook Contacts" is enabled and the "Contacts" folder is empty, it is not possible to cancel the operation of adding the certificate for the first received signed email.

When Microsoft Outlook is configured for Internet Mail Only, you need to first create a contact so that ActivClient can update it with all the correct information. In other configurations, the contact is created automatically.

In some configurations, when a certificate is being registered, the following warning message appears:

"A recently installed program may cause Microsoft Office or other e-mail-enabled programs to function improperly. Outlook can resolve this conflict without affecting the program that originally caused the problem. Do you want Outlook to resolve this problem?" Select No.

If Outlook displays the error message "Your Digital ID name cannot be found by the underlying security system." while you are trying to send a signed or an encrypted email message, then you must select the appropriate certificate from the Outlook Security settings.

Updating the ActivClient configuration for Outlook Enhancements (for example in the Advanced Configuration Manager) should be performed when Microsoft Outlook is closed. If changes are performed when Outlook is open, you may need to close and restart Outlook and re-insert the card for the changes to apply.

If the ActivClient Auto-Contact or Auto-Decrypt features are installed and enabled (part of the Outlook Enhancements) on a workstation with Outlook 2003, and if the workstation is upgraded to Outlook 2007, then these services are no longer active. This is a Microsoft Office limitation; no solution is available at this point from Microsoft to support seamless upgrade of third-party extensions (Exchange Client Extension ECF files). After such an Outlook upgrade, users can use the “repair” operation (from the Add/Remove Programs applet in the Windows Control Panel); this will move the ActivClient extension to the new Outlook location. Note: the repair operation can be performed using the msiexec /f command. This operation can be pushed remotely to user workstations using some software deployment tools such as Microsoft SMS. If you use Active Directory / Group Policy Objects to push ActivClient software to workstations, there is no option to repair software remotely; you will then need to delete the HKEY_LOCAL_MACHINE\SOFTWARE\ActivIdentity\ActivClient\InstalledSmartCardMiddleware registry key, and then “redeploy” the ActivClient package. (54449)

If you use ActivClient to automatically configure your Outlook security profile, and if you uninstall ActivClient, and then try to send a signed email, you will see an error: "An error occurred in the underlying system”. To solve this issue, you need to delete the Outlook security profile after ActivClient un-installation. (57870)

If you enable the ActivClient Auto-Decrypt feature and use Outlook 2000 SP3, make sure that you also install the Microsoft hot fix referenced in the Microsoft Knowledge Base article KB905646. If you do not install this fix, then attachments may disappear when the decrypted emails are saved. (58462)

The ActivClient Publish to GAL feature relies on an authenticated connection to Exchange / Active Directory. If Outlook prompts you for the Exchange password on logon / reconnect (instead of authenticating you automatically by leveraging your Windows authentication), then ActivClient is not able to connect to Exchange and to publish your certificates to the GAL. In such a configuration, you can publish your certificates to the GAL by using the ActivClient User Console – Tools – Advanced – Publish to GAL menu. (58442)

3.3.5. Internet Explorer

In some cases, the certificate friendly name is not set. We recommend that you disable the Microsoft certificate propagation mechanism, to ensure that ActivClient sets the certificate friendly name. For more information, see the ActivClient Administration Guide, in the section describing the policy “Make certificates available to Windows on card insertion”.

Depending on the security policy of your smart card, certificate update/renewal operations using the web browser or the MMC certificate snap-in may not be allowed. When trying to do so, the content of the card is not modified even if in some case there is no error message. This also applies to U.S. Department of Defense-issued Common Access Cards (CAC).

The U.S. Department of Defense-issued Common Access Cards' certificate names are not differentiated in the Internet Explorer browser. When visualizing card certificates in an IE browser or during an SSL authentication, all three certificates have the same name. The workaround is to use the friendly name (ID, Signature or Encryption certificate) visible in the same window. This also applies to FIPS 201 compliant PIV cards.

If you perform a certificate request using Internet Explorer when the card is full, the default certificate is replaced by the recovered certificate. To prevent a warning to users before this process, set the ActivClient registry key HKLM\Software\ActivCard\ActivClient\CSP\EnableReplaceCertDisplay to 1.

If you use Internet Explorer 8 or higher, there may be several iexplore.exe processes running. If you have configured ActivClient PIN Cache service in “per process” mode, then you may see multiple PIN prompts from within Internet Explorer (1 per process). The default configuration for ActivClient PIN Cache service is “per session” and it will not display this behavior.

3.3.6. Windows EFS

For detailed information about Microsoft Encrypting File System, you may refer to Microsoft documentation such as:

http://www.microsoft.com/technet/windowsvista/security/protect_sensitive_data.mspx#EGJAC

http://windowshelp.microsoft.com/Windows/en-US/Help/196e3453-e553-4af3-8220-bdee6e60148c1033.mspx

In some rare conditions, when trying to encrypt a file with a new encryption certificate (on a machine where a different encryption certificate was used previously), Windows will prompt the user that a restart is required. This issue is fixed with Windows Vista Service Pack 1.

ActivClient includes an automatic EFS configuration feature (by automatically selecting the smart card certificate that EFS will use). This configuration option, “Configure Windows EFS with smart card certificate”, is enabled by default. This option is applicable only for the initial configuration. If you want to update the EFS certificate later and re-encrypt your files with a new certificate, you will need to use the “Manage your encryption certificate wizard” – see the ActivClient User Guide for details.

3.3.7. Firefox / Thunderbird

The card authentication certificate of a PIV smart card is not displayed by Firefox. This is because the Web browser does not support empty subject names.

Before starting installation of the ActivClient Firefox / Thunderbird support module, any of the applications Firefox and Thunderbird should be closed. In addition, you should not have any PIV end-point smart cards inserted in the smart card reader during removal of this module.

When using a PIV card for email signature on Thunderbird, the ActivClient PIN Caching setting should be enabled.

In some rare cases, when installing the ActivClient Firefox support module on a workstation with Firefox 3, you may see an error: “modutil.exe - The application failed to start because MOZCRT19.dll was not found. Re-installing the application may fix the problem.” The issue is cause by the modutil.exe component used to register the PKCS#11 library into Firefox. If you have this issue, two workarounds are available:

· Ignore the error messages and manually add the ActivClient PKCS#11 module in Firefox; see the ActivClient Installation Guide for details.

· Before installing ActivClient, add the Firefox path in the PATH environment variable (right-click on “My Computer”, Properties, Advanced Tab, “Environment Variables” button, system variables, select path, edit, add the Firefox path at the end of the value.)

3.3.8. Entrust Entelligence Desktop Solution

When performing an Entrust Profile recovery, the ActivClient PIN may be requested four times even after canceling each time.

Entrust RA may delete an existing X509 certificate on the card when a new Entrust profile is created with Entrust RA.

The PIN may be requested several times during a profile recovery with Entrust RA.

The “Always ask the PIN code before performing any other operation” option is not compatible with Entrust support due to the way Entrust Desktop Solution uses the smart card.

Using the ActivClient user interface, it is possible to change the current smart card PIN code. Doing this while logged on to an Entrust session leads to a session break because Entrust is still using the old PIN code. Log out from Entrust before changing the PIN code with ActivClient.

It is not possible to create an Entrust profile on a card, when the card already contains one.

The Entrust SSO product is supported only with the ActivClient PKCS #11 v2.x library.

If the Entrust application tries to access the smart card resource manager and an error is logged in the event viewer stating that the Entrust service is not responding, ignore this event if the service is correctly started.

Entrust Entelligence Desktop Solution uses its own PIN caching mechanism, independent of ActivClient PIN policies. As a consequence, after you logoff from Windows, Entrust will still allow you to access your smart card for PIN-protected operations (without requiring any PIN entry); while ActivClient will require you to enter the PIN for non-Entrust operations.

If your smart card is full for digital certificates (that is, does not contain any available PKI applet instance), and if you perform an Entrust profile recovery, the old Entrust keys are maintained on the card, available to Entrust Entelligence applications. Also, as long as the old Entrust certificates are still available in the user’s Microsoft CAPI store, the associated keys are available to Microsoft CAPI-based applications (such as Outlook).

If your smart card already contains a secure channel protected X509 certificate, and you want to download an Entrust profile using Entrust Desktop Solution 7.0, you will need to install the following Entrust fix: Entrust Entelligence Desktop Manager 7.0 patch 97257.

In some configurations, if you encrypt a file with Entrust right after the creation of an Entrust profile, Entrust will seem to hang for a minute and then will recover. This behavior is not related to ActivClient and can be reproduced when storing the Entrust profile in software instead of using a smart card.

You cannot load an Entrust profile (for Entrust Entelligence Desktop Solution) on a Cryptoflex 8K. Existing Entrust profiles (loaded with ActivCard Gold) can be used with ActivClient.

When you generate an Entrust profile on the card, or when you recover such a profile, you may see several PIN prompts. (58135)

3.3.9. Entrust Entelligence Security Provider

Enrolling an Entrust ID on a smart card that is full is not supported.

Update certificate on a smart card that is full is not supported.

Performing a recovery operation on an empty smart card with ESP v8 creates three certificates instead of two.

If you use Entrust with 2 key pairs, and if you use a card profile with only 3 PKI (standard profile for 32K smart cards), then recovery of Entrust certificates is not possible: 4 PKI instances are required on the card by Entrust design. ActivIdentity recommends using a card profile with 6 PKI or more (typical with 64K smart card).

3.3.10. Other PKI Applications

If Check Point VPN-1 SecureClient NG AI R55 is installed on your workstation, you can use it for smart card PKI logon to your network. In some cases, it may return an error: “TokenLogin: Failed to get token from filename.” This is due to a collision between ActivClient automatic certificate registration and Microsoft automatic certificate registration. To resolve this error, on operating systems prior to Windows Vista, disable Microsoft automatic certificate registration by setting the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp, Enabled = 0 then restart your computer. On operating systems starting with Windows Vista, disable the “Certificate Propagation” service. In addition, if you just downloaded a certificate on to your card, you will need to remove your card from the reader, insert it again (which registers the certificate in Windows) and then select the certificate in Check Point GUI.

If you have an application using PKCS#11 with a PIV card or a smart card with ActivIdentity v2 applets, and if you lock and then unlock the Windows workstation with a password, PKCS#11 will not erase the private key attributes (CKA_ID, CKA_LABEL, CKA_SUBJECT). However, use of the RSA private key will require re-entering your PIN code.

If you use Microsoft Outlook Web Access to access emails via Internet Explorer, and close the Outlook Web Access session, you will see some of your certificates being removed from the local Windows CAPI store (certificates are unregistered). This is a Microsoft limitation of the S/MIME ActiveX control used by Outlook Web Access. Contact Microsoft for further information.

If you use Microsoft Outlook Web Access on Windows Vista (with OWA / Exchange 2007 running on Windows Server 2008), the default configuration is to use the AES algorithm. Using this algorithm to sign/encrypt emails would lead to recipients not being able to read these emails on Windows XP (AES is not supported on this Windows version). This configuration is not supported by ActivClient either. To support this OWA client and server configuration, you can configure OWA to use 3DES instead of AES – this configuration is supported by ActivClient. For more information, see http://technet.microsoft.com/en-us/library/bb738151.aspx, “S/MIME Encryption Algorithms” section. (57231)

3.4 ActivClient OTP Services

3.4.1. Check Point SAA Component

If you install the ActivClient Check Point SAA module, then the uninstallation of this module will lead to errors. Also, the user is prompted to end the Check Point process during the uninstallation phase. To workaround this, you will need to restore the userc.c file that Check Point backed up at installation (in folder <Program Files>\CheckPoint\SecuRemote\database\backup\userc.c). After uninstalling ActivClient or removing the ActivClient Check Point module (via a Modify), the backup file must be copied to <Program Files>\CheckPoint\SecuRemote\database to replace the current userc.c file. A reboot is needed to this update to take effect.

If you install the ActivClient Check Point AAA module, the Check Point client is set to the SAA authentication mode; you cannot select another authentication mode – this is a Check Point limitation.

3.4.2. Automatic OTP Generation via the ActivClient Agent

If you generate a One-Time Password via the ActivClient Agent, the OTP is placed in the Windows Clipboard. Previous content of the Clipboard is no longer available for a Paste operation even after the OTP has been pasted.

3.5 ActivClient Common Services

3.5.1. User Console

The certificate time (Valid from/Valid to) displayed in the ActivClient User Console may differ from the time displayed in Internet Explorer. This difference is due to Internet Explorer using GMT while the ActivClient User Console uses the local time zone.

After changing the log file name in the Log File Options dialog box, both a file with the new name and a file with the old name appear in the selected directory.

ActivClient User Console is included by default in the PIN caching “include” list. Do not remove it from the list if you intend to use the ActivClient User Console.

Do not remove the card from the smart card reader while it is being accessed by applications (when the ActivClient icon on the taskbar is red). Also, do not remove the card if an error message appears in the ActivClient User Console.

On some models of the US Department of Defense Common Access Cards, there is an extra eight digit number at the end of the serial number printed on the back of the card. This extra number is not electronically recorded on the chip and thus is not part of the serial number displayed by the ActivClient User Console.

If you type a log file name that is longer than 259 characters in the Log File Options dialog box, then the dialog behaves as if the logging is disabled.

Deleting a certificate using the ActivClient User Console does not remove the link to the certificate in Microsoft CAPI. The certificate will still appear to be present in CAPI-enabled applications such as Internet Explorer or Microsoft Outlook, even though no private key operation will be available.

The "Remove certificates from Windows on smart card removal" option will not remove certificates that were imported from a PKCS#12 file on the same computer.

ActivClient User Console has some limitations with regards to compatibility with Microsoft Narrator when navigating the menus. ActivIdentity is currently working with the third-party company providing the User Console interface to provide a solution to this problem.

Icons in the User Console will display the first time after they are disabled. Those icons will be hidden in subsequent use of the User Console.

If you hide an icon in the User Console toolbar (via the ActivClient configuration option), and then attempt to display it again, it may not reappear. To show it again, in the User Console, go to View – Toolbars – Customize, go to the Toolbars tab, and select Reset All. Also, you may need to delete the registry key HKEY_CURRENT_USER\Software\ActivCard\Acuscons.

When using a CAC card from the DoD Contactless Pilot, the CHUID is not displayed in the User Console.

If you look at a PIV card content with the ActivClient User Console, you may see “RSA Key Pair” for the credentials that have not been personalized yet: there is no API in the PIV standard to determine if an RSA key pair has been created or not, so ActivClient displays “RSA key pair” in either case, when the certificate is not detected. This applies to the 4 PIV-defined digital certificates.

3.5.2. ActivClient Agent

If you insert a smart card upside down or on the wrong side and properly reinsert the card, the ActivClient Agent icon may still display "no smart card."

If you insert and remove your smart card several times in the smart card reader, the ActivClient Agent icon may still display "no smart card." Remove and reinsert the card in the smart card reader and the icon will be refreshed.

If your system is connected to more than one smart card reader, the ActivClient Agent only supports the first smart card it detects and does not support more than one smart card connected at the same time.

The ActivClient Agent may fail to detect the card insertion if a card is inserted briefly and removed immediately. In this case, you may be prompted twice for the PIN when you reinsert the card.

The ActivClient Agent may start slowly on Vista (and later Windows versions), and the menus (available via right or left-click) may appear slowly; the ActivClient Agent icon informs the user of this status – this appears only at the beginning of the Windows session. This is due to user processes started in “BelowNormal” Priority on Windows Vista, to speed up services startup – this is a Microsoft Windows Vista design. Once all services are started, user processes such as the ActivClient Agent return to “Normal” Priority and become responsive.

3.5.3. PIN Change Tool

ActivIdentity has been made aware of a Windows issue that may lead to locking a smart card after a PIN change. This issue is described at http://support.microsoft.com/kb/958281.

If your configuration is similar to the one described in the article, Microsoft recommends logging off after a PIN change.

Scenario to reproduce the issue:

1. When the workstation is connected to your network, log on to Windows with your smart card.

3. Logoff.

4. Unplug the network cable.

5. Log on to Windows with your smart card (offline logon).

6. Re-plug the network cable.

7. Using any PIN change utility (for example, ActivClient PIN Change Tool or Firefox “Change Password” feature), change the smart card PIN; use a new PIN different from the old PIN.

8. Try to connect to a network resource (\\servername\), the following error message appears: “The card cannot be accessed because the maximum number of PIN entry attempts has been reached.”

9. The card is locked and needs to be unlocked before it can be used again.

3.5.4. Troubleshooting Wizard

If your system is connected to more than one smart card reader, the Troubleshooting Wizard only diagnoses the first smart card it detects and does not support more than one smart card connected at the same time.

The Troubleshooting Wizard incorrectly reports that the smart card reader driver is not installed correctly when the smart card reader is unplugged.

When the smart card is removed while the Troubleshooting Wizard is running, it may display incorrect information about whether or not the card is properly inserted.

The Troubleshooting Wizard is included by default in the PIN caching “include list”. Do not remove it from the list if you intend to use the Troubleshooting Wizard.

If you use the ActivClient Troubleshooting on Windows Vista (and later Windows versions), the window may appear “Not Responding” while the troubleshooting is performed. When the troubleshooting process is complete, the results are displayed in the window, as expected.

3.5.5. Diagnostics Tool

The Advanced Diagnostic Tool may freeze if your smart card reader drivers are not the latest smart card reader drivers installed from the device manufacturer, please ensure that you have the latest smart card reader drivers installed from the device manufacturer.

3.5.6. Advanced Configuration Manager

In some cases, you may see a refresh issue when you update some configuration settings in the ActivClient Advanced Configuration Manager. Close and start the tool again.

3.6 Other

3.6.1. Generic Smart Card Services

The ActivClient smart card automatic registration mechanism does not support double ATR smart cards. For such cards, an ActivClient update (hot fix) is needed to support a new smart card model.

If you use smart cards supporting only the T=1 protocol (that is do not support the T=0 protocol), you will see error messages in the event viewer, such as “Smart Card Reader ‘ActivCard ActivCard USB Reader C2 0’ rejected IOCTL SET_PROTOCOL: The request is not supported.” These errors are due to ActivClient attempting a T=0 connection before using a T=1 connection. Such errors can be ignored.

If you update the content of the smart card, and if the card is not recognized properly anymore after the update, then it is recommended to start the ActivClient User Console, use the “Forget state for all cards” option from the menu Tools | Advanced and remove and reinsert the smart card in the smart card reader.

If you use a smart card on workstation A and then update the card content (including the PIN policy) on workstation B, you may need to perform a "forget all card state" on workstation A for the changes to be visible.

If you update the ActivClient policy from GSC-IS preference to PIV preference (or vice versa), you will need to perform a "forget state for all cards" in the User Console to guarantee that cards previously used on the workstation will be seen with their new configuration. If you update the policy using the Advanced Configuration Manager, the “forget state” operation is performed automatically. If you update the policy by editing the Windows registry directly, or if you push the policy change (Active Directory GPO policy update), then you need to perform the “forget state” operation manually.

32-bit applications using ActivClient middleware services on a 64-bit operating system (using the 32-bit APIs included in ActivClient 64-bit edition) cannot leverage the ActivClient PIN caching “include list” and “exclude list”.

32-bit applications using ActivClient middleware services on a 64-bit operating system and using more than one API (for example, PKCS#11 and BSI) need to implement PIN authentication separately to each API if the ActivClient PIN caching is configured “per process”.

When using PIV cards, changing the “Enable PIN Caching” configuration option from Yes (the default) to No is not supported.

3.6.2. ActivID CMS Issuance Station

When ActivClient is used on an issuance station with the ActivID Card Management System, the recommended card removal behavior option is “no action.” In addition, we recommend disabling ActivClient smart card discovery information caching; see the ActivClient Administration Guide for details.

When issuing a smart card with a certificate coming from the Microsoft CA, to work properly, CMS 3.8 requires a hot fix. Please contact customer support to obtain this hot fix.

3.6.3. ActivID CMS My Digital ID Card

Before using ActivClient with CMS My Digital ID Card version anterior to CMS 4.0 SP3, you need to install MFC 71 redistributable package for My Digital ID Card to work properly.

Support for CMS My Digital ID Card from a Windows x64 environment requires CMS version 4.2 or higher – refer to your CMS documentation for further information.

3.6.4. Card auto update with ActivID CMS

On a workstation with Windows Vista and Internet Explorer 7, when ActivClient detects that a card update request is available in ActivID CMS, and when the user accepts to perform the card update, ActivClient opens Internet Explorer in a full window, with all standard menus and controls – instead of opening a dedicated window without browser menus and controls. This happens only if the user does not have local administrative privileges. To fix the problem, upgrade to Internet Explorer 8: ActivClient then opens a dedicated window without browser menus and controls. (58983)

If you have configured ActivClient PIN Cache service in “per process” mode, then you may see multiple PIN prompts during a card update. The default configuration for ActivClient PIN Cache service is “per session” and it will not display this behavior. (59341)

3.6.5. Citrix

With Presentation Server versions up to 4.0, to enable the smart card services, you must create or modify the following registry entries on the Citrix server (this is no longer required with Presentation Server 4.5 or XenApp 5.0):

1. Open the Windows Registry Editor and navigate to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook

2. From the Edit menu, select Add Value and enter the following:

Value Name: Flag

Data Type: REG_DWORD

Data: 80000000

3. From the Edit menu, select Add Value and enter the following:

Value Name: FilePathName

Data Type: REG_SZ

Data: scardhook.dll

To obtain a Citrix disconnection on smart card removal, you need to have a specific configuration for ActivClient and for Windows.

1. Set the ActivClient configuration to “No action” using the ActivClient Advanced Configuration Tool.

2. Set the Windows configuration to “Lock on smart card removal” by using the Microsoft Group Policy MMC snap-in: Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options / Smart Card Removal Behavior must be set to “Lock Workstation”.

3. On operating systems starting with Windows Vista, set the “Smart Card Removal Policy” service to Automatic to guarantee that the policy defined in step 2 is taken into account.

On the Citrix server, you need to disable the Microsoft automatic certificate registration. On operating systems prior to Windows Vista, set the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp, Enabled = 0 then restart your computer. On operating systems starting with Windows Vista, disable the “Certificate Propagation” service.

Because of a limitation of the Citrix PC/SC smart card redirection, it is recommended to install ActivClient on a Citrix server directly on the physical console. If it is not the case, then the first use of each smart card type may not be successful until the card has been removed and reinserted. As well, the exact card model will not be available.

If you use ActivClient in a Citrix Presentation Server environment, make sure that only one smart card reader is connected on the end-user workstation (connecting to the Citrix server). If two smart card readers are connected, disconnect one reader and restart your Windows session (log off, log on again). Note: The ActivIdentity ActivKey Token installs a virtual reader that is considered as always plugged. As a consequence, do NOT install the ActivKey driver if you don’t use this device.

When ActivClient is installed on the Citrix server, card management operations such as certificate download or PIN change operations are not available within the Citrix session.

If ActivClient is installed both on the Citrix client and on the Citrix server, and if you perform a Change PIN operation using ActivClient installed on the client workstation, you are prompted to re-authenticate when you access the smart card using ActivClient on the Citrix server. Note that the “PIN try” counter is then decremented by 1.

If ActivClient is installed both on the Citrix client and on the Citrix server, and if you perform a card content change with ActivClient installed on the client workstation (for example, adding a new certificate), you will need to perform a card removal/insertion to access these card content changes.

If you use your smart card locally on your workstation, you will be prompted for the PIN to access the smart card again from your Citrix session – independently of your ActivClient PIN policy (PIN cache). This is due to the fact that both instances of ActivClient (on your workstation and on the Citrix server) are independent.

If you use a thin client with Windows CE.NET (tested with Neoware rev 7.0.3 based on Win CE 4.20), disconnect on smart card removal is not supported; do not remove the smart card during a Citrix session. To correctly disconnect or logoff, you must use the Citrix disconnect or logoff menu and then remove the smart card.

If you use a thin client with Windows CE (tested with Wyse S30 based on Win CE 5.0), certificate download on the smart card may require several PIN entries.

If you use your smart card to login to the Citrix session with a PKI login, a new PIN prompt will appear for additional smart card services inside the Citrix session. This is related to the design of Windows Terminal Server.

If you use Citrix in published application mode, you are not logged off when you close the last application. This is due to some ActivClient services (acevents.exe and accrdsub.exe) that remain active under the users’ context. A workaround is described in Citrix Knowledge Base: article CTX891671.

Under some stress conditions (network bandwidth, latency, load of the Citrix server), card events such as card removal may be reported with a few seconds delay to ActivClient. Until ActivClient is aware of those changes, it will try to function as if the card was still present in the reader.

Before accessing a Citrix server via the web interface, the card should be removed from the smart card reader and reinserted only when prompted. Failure to do so may freeze the session. This limitation has been fixed in recent versions of Citrix Presentation Server and XenApp Server.

If you open a session on the Citrix server with computer A with a smart card and then moved on to computer B and establish a session to the same Citrix server, you will have to type your PIN code twice.

When ActivClient is installed on a Citrix server, it may lead to events appearing in the Event Viewer on the server, such as: Unable to start a DCOM Server, The error “the system cannot find the path specified” happened while starting command C:\Program Files\ActivIdentity\ActivClient\acevents.exe. This event has no impact on ActivClient functionality.

If you enable ActivClient log files on a Citrix server, be aware that log files will grow very fast due to the logging of all users’ operations. Only enable logging when prompted by ActivIdentity customer support.

On slow networks (like satellite, UMTS, wireless connection), if you face some performance issues, you may want to customize the ReaderListPollingPeriod parameter. ActivClient manages detection of reader plugging/unplugging in remote sessions (Terminal Server / Citrix) by using calls to Microsoft Smart Card Service (SCardSvr). Generally, these calls respond immediately and don't interfere with other processes. In slow networks cases, each call may take several hundred milliseconds. By default, on terminal servers, the check of plugging/unplugging readers is done every 30 seconds (30000 ms). It is possible to change this value further by setting the following registry key: HKLM\Software\ActivCard\ActivClient\EventService\ReaderListPollingPeriod (DWORD) (with values in milliseconds). This key is necessary only on the server: when ActivClient is installed on user workstations, this key is not used: a specific Windows device API is used instead to manage detection of reader plugging/unplugging (this Windows device API is not applicable in the case of remote sessions). Note: Changing the registry key leads to a delay to detect reader plugging/unplugging on the remote machine.

If you use a Wyse thin terminal with Wyse ThinOS, we recommend using Wyse ThinOS firmware version 6.4 or higher.

On Windows Vista SP1, Citrix does not support the pass-through configuration with Citrix Client v10. For more information, see http://support.citrix.com/article/CTX112067. (58391)

If you access Citrix XenApp from a Red Hat Linux client, you need to check the following parameters (59426):

· Make sure that you use PCSC-lite version 1.2.9 or higher.

· Also, to work around a RedHat limitation on the supported size of APDUs, you may need to customize ActivClient installed on the server: using a registry editor, locate in HKEY_LOCAL_MACHINE\SOFTWARE\ActivCard\ActivClient\ASPH\AspCards the configuration for the card you are deploying. For this card, set MaxReadSize and MaxUpdateSize to the value #64.

If you access Citrix XenApp from a Mac client with MacOS 10.5 and Citrix Client 10.00.603, make sure that you install the “Mac OS X Update Combined 10.5.7”. If you don’t install this update, some smart card operations will not work in the Citrix session. (59428)

3.6.6. Microsoft Terminal Server and RDP

When ActivClient is installed on the Terminal Server, card management operations such as certificate download or PIN change operations are not available within the RDP session.

If ActivClient is installed both on the RDP client and on the Terminal Server, and if you perform a Change PIN operation using ActivClient installed on the client workstation, you are prompted to re-authenticate when you access the smart card using ActivClient on the Terminal Server. Note that the “PIN try” counter is then decremented by 1.

If ActivClient is installed both on the RDP client and on the Terminal Server, and if you perform a card content change with ActivClient installed on the client workstation (for example, adding a new certificate), you will need to remove and insert again your card to access these card content changes.

If you use your smart card to login to the RDP session, a new PIN prompt will appear for additional smart card services inside the RDP session. This is related to the design of Windows Terminal Server.

If you use smart card services inside a RDP session, some PIN-protected operations may require a new authentication even if an authentication already occurred.

When ActivClient is installed on a Terminal Server, it may lead to events appearing in the Event Viewer on the server, such as: Unable to start a DCOM Server, The error “the system cannot find the path specified” happened while starting command C:\Program Files\ActivIdentity\ActivClient\acevents.exe. This event has no impact on ActivClient functionality.

If you use the Windows Remote Desktop Connection client 6.0 (available on Windows Vista, also available via software update on Windows XP) to connect to another workstation or to a server with Windows Terminal Server, then ActivClient must be installed on the client workstation for the smart card services to work in the RDP session. This limitation does not exist with Remote Desktop Connection client 5.0. To workaround this limitation, on the client machine, save the remote desktop connection (.rdp file), open it with Notepad and add the following line: “enablecredsspsupport:i:0 “, then save the file and use it whenever you want to open a connection. This configuration disables the local authentication and proceeds to authentication only when on the remote desktop.

If you enable ActivClient log files on a Windows Terminal Server, be aware that log files will grow very fast due to the logging of all users’ operations. Only enable logging when prompted by ActivIdentity customer support.

If you use a Wyse thin terminal with Wyse ThinOS, we recommend using Wyse ThinOS firmware version 6.4 or higher.

If you access a Terminal Server from a Red Hat Linux client, you need to check the following parameters (59426):

· Make sure that the rdesktop client supports smart card redirection: rdesktop version 1.6.0 or higher.

· In some configurations, rdesktop is provided in a configuration that does not support smart card redirection; you then need to recompile rdesktop with the –enable-smartcard option. Refer to rdesktop documentation for details.

· Make sure that you use PCSC-lite version 1.2.9 or higher.

3.6.7. Notification Services

Smart Card and Certificates Expiration Notification: For CAC cards, if the user did not perform a Windows PKI logon, then ActivClient uses the smart card certificate expiration date to determine the smart card expiration date.

Unattended Smart Card Notification: When you disconnect from a Citrix Presentation Server or a Windows Terminal Server or Remote Desktop session, ActivClient does not display a notification if the smart card is left in the smart card reader.

Unattended Smart Card Notification: On Windows Vista (and later Windows versions), the “unattended smart card” notification is not displayed (when the card is left in the card reader at lock, logoff or shutdown), due to Windows Vista design with regards to performance improvements. Instead, a beep is used to notify the user.