ActivIdentity ActivClient

Note that this section may refer to functionalities present in different editions of ActivClient and might not be available in your edition of ActivClient.

2.1 What’s New in ActivClient 6.1 and ActivClient CAC 6.1

ActivClient 6.1 provides the following improvements compared to ActivClient 6.0.

Support for Windows Vista (all editions) This also includes support for new smart card services available with the Windows Vista operating system, such as:

· Support for Internet Explorer 7 in protected mode,

· Support for Encrypted File System (EFS),

· Support for Fast User Switching with smart card PKI login,

· Support for User Account Control (UAC) wherever applicable.

Support for 64-bit versions of Windows: Windows Vista (all editions) and Windows Server 2003.

· This functionality is provided via a separate installer package, dedicated to the 64-bit operating systems.

· 32-bit wrappers are also available for the ActivClient APIs, for compatibility with 32-bit applications running on the 64-bit operating system.

· Entrust Desktop Solution support module not available in 64-bit edition,

· Outlook usability enhancements not available in 64-bit edition,

· Check Point SAA support module not available in 64-bit edition,

· Netscape, Mozilla, Firefox and Thunderbird are supported with the ActivClient PKCS#11 library (64- or 32-bit). However, ActivClient 64-bit does not automatically register the PKCS#11 library to these applications; a manual registration is required.

Support for Cryptoflex cards (8K, 16K and ActivKey v1) previously deployed with ActivCard Gold 2.3.1.

· The digital certificates (PKI) and one-time password (OTP) credentials are supported transparently in ActivClient.

· Static credentials are not supported by ActivClient. Note that SecureLogin SSO provides Single Sign On functionality and is compatible with ActivClient, including with Cryptoflex cards.

· Note: a utility is available in the ActivClient Resource Kit to retrieve static credentials stored on an ActivCard Gold smart card.

Support for new Java Card configurations

· Support for the U.S. Department of Defense Common Access Card (CAC) configured with PIV End-Point. ActivClient can be configured to use these CAC cards either in a GSC-IS 2.1 compliant mode or in a PIV compliant mode. The ActivClient CAC package enables by default for the GSC-IS compliant mode; the ActivClient packages enables by default the PIV compliant mode.

· Support for the Card Identification Number / Issuer Identification Number (CIN/IIN), compliant with GlobalPlatform 2.1.1 as a unique smart card identifier. For smart cards that don’t have a CIN, the CUID is still supported by ActivClient.

One-Time Password improvements:

· Ability to generate a One-Time Password (OTP) via the ActivClient Agent, icon in the Windows system tray.

· Support for the Check Point SAA API, providing an advanced level of integration with Check Point VPN-1 SecureClient.

Packaging and installation improvements

· Localizable product: ActivClient 6.1 is now fully localizable. A Localization Kit is available – please contact ActivIdentity for more information.

· Reduced footprint: The installer package for ActivClient 6.1 is less than 10 MB.

· Device drivers (for smart card readers and ActivKey) are no longer included in the ActivClient installer package. Device drivers are available directly in Windows, via Windows Update, and using the ActivIdentity Device Installer (a separate installer package included in the ActivClient CD image). Note that in the case of upgrades from previous ActivClient / ActivCard Gold versions including device drivers, the ActivClient installer offers the user to install drivers with the ActivIdentity Device Installer, to guarantee a smooth upgrade.

Support for new environments

· ActivIdentity products: ActivID CMS 4.0 SP3, SecureLogin SSO 6.1, 4Tress AAA Server 6.5

· Operating systems: Windows Vista x86, Windows Vista x64, Windows Server 2003 SP2 x86, Windows Server 2003 SP2 x64

· Remote access (with PKI): Check Point VPN-1 SecuRemote / SecureClient NG AI R56 HFA-03 and NGX R60 HFA-01, Windows Vista dialer and VPN client, Nortel Contivity VPN for Windows v6.01_102

· Check Point SAA integration (with OTP): Check Point VPN-1 SecuRemote / SecureClient NG AI R56 HFA-03 and NGX R60 HFA-01

· Browsers: Internet Explorer 7 for Windows Vista, Netscape 8, Firefox 2

· Email clients: Microsoft Outlook 2007, Netscape 8

· Citrix: Citrix Presentation Server 4 (x64), Citrix Presentation Server Client v10.0

· Windows Terminal Server and Remote Desktop: Terminal Server included in Windows Server 2003 x64, Remote Desktop Connection software on Windows Vista (x86 and x64)

· Other PKI-enabled clients: Entrust Entelligence Security Provider 8.0, Microsoft Office 2007

· Smart Cards: Gemalto Cyberflex Access 128 K, Oberthur CosmopolIC ID-One 64K v5.4, Sagem PIV Applet version 01 on J-IDMark 64 PIV (card used in PIV mode), StepNexus PIV Application v4.2.1 on Keycorp MULTOS 64K Smart Card (card used in PIV mode), Cryptoflex 8K and 16K and ActivKey v1 (deployed previously with ActivCard Gold 2.3.1)

· Support for new cards in the PIN Initialization Tool (configuration where the tool loads the applets on the card): Gemplus GemCombi'Xpresso R4 E72 PK, Giesecke & Devrient SmartCafe Expert 64K FIPS-1024

· Support for Windows Vista (x86 and x64) with the following ActivIdentity Devices: ActivIdentity USB Reader v2 and v3, ActivIdentity PCMCIA Reader v2, ActivKey v1 and v2, ActivKey SIM. Note that the ActivIdentity PCMCIA Reader v1 and Serial Reader (aka SmartReader) are NOT supported on Windows Vista

· Software distribution: Microsoft SMS 2003 SP2

Minor improvements

· The Diagnostics Tool reports the OTP information such as counter and clock, for easier troubleshooting.

· The user interface of the Diagnostics Tool and Advanced Configuration Manager has been updated to use a tree-based approach, providing increased usability and modularity.

· Certificate thumbprint and thumbprint algorithm are now displayed in the ActivClient User Console.

· If an incorrect PIN is entered, ActivClient now reports how many PIN attempts are left before the card locks.

· User Console now displays extended ASCII characters when used in certificate attributes.

Two ActivClient 6.1 packages are available: ActivClient 6.1 and ActivClient CAC 6.1. In the CAC edition:

· Installation and trust of the DoD Root certificates.

· Certificate and card expiration notification is enabled by default

· The configuration option “Prefer GSC-IS over PIV EndPoint” is enabled (it is disabled in ActivClient)

· The documentation is different in each edition to reflect the feature set of each edition.

Bug fixes and minor enhancements
The following is a list of ActivClient issues fixed in this release, followed by the ActivIdentity hot fix reference (if a hot fix has been previously released).

Fixes from ActivClient 6.0 ( FIXS0611000; FIXS0612000; FIXS0612002; FIXS0612006; FIXS0701000; FIXS0701002; FIXS0701008; FIXS0702003; FIXS0702007; FIXS0702008; FIXS0702013; FIXS0702014; FIXS0702015; FIXS0703000; FIXS0703012; FIXS0703013; FIXS0703014; FIXS0704009, FIXS0704010)

· Outlook enhancements: No longer prevent reading read-only emails in Public Folders.

· ACoutCom.dll is digitally signed to avoid Outlook pop-up warnings.

· No longer try to retrieve BSI information from cache.

· Correctly manage XAUTH or PIN access right.

· Better error management if default certificate cannot be read from registry.

· No more store card discovery information if communication error occurred.

· Fix some issues for definition of default container on CAC cards.

· Allow recognizing the default certificate after post-issuance.

· Avoid hang with contactless reader.

· Avoid infinite “Please Wait” when using contactless reader.

· Avoid useless entries in security event viewer

· Improvements to guarantee that the PIN is not available via memory dump.

· Demographic data are no longer stored in memory cache.

· PIN obfuscation is now enabled by default

· PIN obfuscation no longer produces errors in Windows Event Viewer.

· Fix around the ActivClient Enter PIN dialog box that did not appear in specific use cases.

· Settings are no longer reset after installing a hot-fix.

· Standard Profile now supports 16 PKI.

· “About” dialog box displays correct version number, even when hot fixes are installed.

· Avoid unexpected end of smartcard agent if no software is installed to read RTF files.

· Added access rights check on Demographic applets to verify if card is CAC.

· PKCS11 v2.11: CKF_PROTECTED_AUTHENTICATION_PATH is now configurable.

· CSP: GetKeyParam(KP_KEYLEN) is now supported.

· The ‘Import Certificates’ menu in the User Console is no longer grayed out in a Terminal Server or Citrix configuration.

· Compatibility fix for ActivClient Bio Add-On 1.5.

· Support for Gemalto PIV card.

· Support for Gemalto Cyberflex Access 128K

Fixes from ActivClient Mini 5.5 (FIXS0610017; FIXS0611010)

· Support of Giesecke and Devrient SmartCafe Expert 64K FIPS-1024 card. This card can be initialized.

· Add the ability for ACOMX to detect if the inserted card has the access right “Never Unlock PIN”.

· Adding traces for ACOMX and BSI APIs.

Fixes from ActivClient 5.4 (FIXS0703002; FIXS0703001; FIXS0702016; FIXS0612008; FIXS0612007; FIXS0611007; FIXS0611006; FIXS0611002; FIXS0611001; FIXS0610032; FIXS0610031; FIXS0610020; FIXS0610019):

· PKCS11: Fixed crash in C_GetSlotList if the card is removed/inserted/removed.

· Correction regression: crash on change PIN if PIN has already been prompted.

· Avoid crash of Outlook if a contact does not contain an email address.

· Add PIV transitional Data Model (0x10) support.

· Support of the Giesecke and Devrient Tiger FIPS 1024 bits card.

· ActivClient and Kiosk interoperability fix: middleware no longer crashes when card is removed during C_Initialize call.

Fixes from ActivClient 5.3.1 (FIXS0703011; FIXS0701004; FIXS0611014; FIXS0611003):

· CSP: Returns SILENT_CONTEXT error instead of displaying Select Card dialog box if workstation is locked.

· Correctly manage event when reader is plugged with a card.

Fixes from ActivCard Gold 2.3.1 SP1 (FIXS0703006):

· No more incorrect characters in OTP if counter is higher than 0x80000000.

2.2 What’s New in ActivClient PKI Only 6.0 and ActivClient for CAC – PKI Only 6.0

ActivClient PKI Only 6.0 is a superset of ActivClient Mini. As such, all the improvements of ActivClient Mini 5.5 are also present in ActivClient PKI Only 6.0.

ActivClient PKI Only 6.0 provides the following improvements:

· PIV Endpoint card support (tested at the time of release with the Oberthur ID-One Cosmo 64 v5 and the Gemalto GemCombi'Xpresso R4 E72 PK)

· PIV API support

· FIPS 201 certified by NIST

· DoD PIV Transitional card support

· Support for PIV Demographic Data in My Personal Info

· Support for the DoD Middleware requirements v3.0

· Support for the new 64 CAC cards

· Support for PIV Endpoint and Transitional cards in the ActivClient Card auto-register

· Microsoft Outlook Enhancement Improvements

· PIN Initialization tool can now initialize standalone cards (S1 / S5 / O5, etc…)

· New end-user notification system (when no smart card reader is connected, when the smart card or the certificates are about to expire or when the smart card is left in the smart card reader while disconnecting from the workstation or when the screen is locked)

ActivClient for CAC – PKI Only 6.0 is very similar to ActivClient PKI Only 6.0. In the CAC edition:

· Installation and trust of the DoD Root certificates.

· Smart card reader drivers are not installed, to comply with the US DoD middleware requirement specification v3.0

· Certificate and card expiration notification is turn on by default

· The documentation is different in each edition to reflect the feature set of each edition.

Updated environment:

· ActivIdentity CMS 4.0 Support

· ActivIdentity SecureLogin SSO 6.0 SP1 Support

· Support for new web browsers (Internet Explorer 7 Beta 3, Firefox 1.7.3, Mozilla 1.7.3, Netscape 7.1 and 4.76)

· Support for Thunderbird 1.5.0.4

· Support for Entrust Desktop 7.1 and Entrust Java Toolkit 7.1

· Support for Windows 2003 R2

· Support for Citrix Presentation Server Client Packager - Version 9.200

New smart cards:

· Smart cards with PIV application

· ActivIdentity USB Key SIM V3

New smart card readers:

· Omnikey CardMan 5321 RFID (contact and contactless)

· SCM SDI010 (contact and contactless)

· SCM SCR3311

· SCM SCR3340 (ExpressCard format)

· Precise 200 Series bio reader

· Precise 100XS swipe reader

Upgrades:

ActivClient 6.0 setup supports upgrades from a previous version of ActivClient. The ActivClient setup automatically detects the previous version and replaces it during install. Unless your setup was customized, previous settings will be lost. ActivClient will apply typical settings instead. With ActivClient, you can upgrade from:

· ActivCard Gold 2.2 CAC (and any SP)

· ActivCard Gold 2.3.1 (any SP)

· ActivCard Gold for CAC - PKI Only 3.0 (any FP)

· ActivCard ActivClient 5.4 PKI Only

· ActivClient 5.5 Mini

For all other versions not mentioned in the above list, you must uninstall them prior to installing ActivClient.

Bug fixes and minor enhancements:

The following is a list of ActivClient issues fixed in this release, followed by the ActivCard hot fix reference (if a hot fix has been previously released).

Fixes from ActivClient 6.0 BN 50 (FIXS0610018, FIXS0610030, FIXS0610038)

· Adding new custom card profiles support (201100000000000000000052, 2011000000000000000000C1)

· Adding support for Giesecke & Devrient card with Mini Profile

· Adding PIV API Java Wrapper

· Improved support of PIV End Point cards (including support of SHA256 signed buffers)

· Improving interoperability with AAA Server (standalone initialization support)

· Improving interoperability with ActivIdentity Kiosk

· Improving interoperability with ActivIdentity SCPL

· Improving interoperability with ActivIdentity SecureLogin SSO

· Fix acevent service hang for Citrix on Windows 2000

· Fix ActivKey v2 and ActivKey SIM driver issue (compatibility with anti-virus)

· Fix SmartReader driver install issue

Note: ActivClient 6.0 is available both as a MSI (for new installations) and as a MSP (for upgrades from BN50).

Fixes from ActivClient Mini 5.5 (FIXS0609002, FIXS0607011, FIXS0606005):

· New configuration for the polling period of the smart card reader plug/unplug detection.

· Resolve an issue that prevented booting in Safe Mode.

· Add support of Gemplus GemXpresso 64k R4 E72 PK card. Add support for profile 2010000000000000000000BF.

Fixes from ActivClient PKI Only 5.4 (FIXS0506003, FIXS0506009, FIXS0506013, FIXS0506030, FIXS0509008, FIXS0509015, FIXS0510011, FIXS0510013, FIXS0510017, FIXS0510020, FIXS0511005, FIXS0512005, FIXS0512007, FIXS0512011, FIXS0512012, FIXS0601003, FIXS0601004, FIXS0601006, FIXS0601007, FIXS0601011, FIXS0601012, FIXS0601016, FIXS0601017, FIXS0601020, FIXS0602001, FIXS0602004, FIXS0602006, FIXS0602007, FIXS0602009, FIXS0602010, FIXS0602012, FIXS0602019, FIXS0602020, FIXS0603001, FIXS0603003, FIXS0603009, FIXS0603028, FIXS0603034, FIXS0603037, FIXS0604001, FIXS0604009, FIXS0605000, FIXS0605011, FIXS0606002, FIXS0606004, FIXS0606008, FIXS0606012, FIXS0607009, FIXS0607017, FIXS0607021, FIXS0608001, FIXS0608003, FIXS0608004, FIXS0608006, FIXS0608008, FIXS0608010, FIXS0608017, FIXS0609008, FIXS0609011, FIXS0609014):

· PKCS#11 and applets V1: increased performances when returning the amount of free space on the smart card

· PKCS#11 v2.11: Added support unplugging the smart card reader in C_WaitForSlotEvent function.

· Outlook Enhancement: Now uses email address instead of name for searching contact.

· CSP: Returns SILENT_CONTEXT error instead of displaying Select Card dialog box if workstation is locked.

· Modified to use the Signing certificate for Windows PKI logon with V2 CAC cards.

· Fixed an ActivClient hang with PKCS#11 when used by SecureLogin SSO.

· Improved performances with PKCS#111 with SecureLogin SSO.

· PKCS#11: solved a crash if the PKCS#11 DLL is unloaded before the application calls C_Finalize.

· PKCS#11 2.01: Avoid BSOD with continuous Smartcard Insertion/Removal at GINA (AA Client).

· CAC V1: User console correctly displays Personal Info even if some demographic applets are missing.

· Always free data cache on card removal. Certificate data are correctly stored in data cache. Improve PKI unlock performance.

· Applets V1: the default certificate flag is no longer stored in data cache to allow the end user changing this value.

· Solved blue screen on ActivKey removal in some rare cases

· Added capacity to lock down the smart card readers that can be used by ActivClient (AuthorizedReadersList feature) .

· Resolved unresponsiveness system during screen PKI unlock in some rare cases.

· No longer need to re-install all USB drivers after uninstalling the ActivIdentity USB Reader V3.

· PKCS#11: Private keys are no more incorrectly reported as exportable.

· Static unlock code is now correct after reset and re-initializing a card with difficulty to perform dynamic unlock.

· Outlook Usability Enhancements: Now retrieves the sender email address from the certificate if available.

· PKCS#11 2.11: Add limited support for CKU_SO.

· Change PIN at first use is now displayed after a Windows PKI unlock.

· Ensure that the PIN code does not stay in clear in memory.

· Added the capacity to prevent the user to reuse the current PIN code when performing a Change PIN operation.

· Added support for the Windows+L shortcut to lock workstation on XP.

· Solved a crash on PKCS#11 when the smart card is removed from the reader during a C_Finalize call.

· Solved a 30 seconds delay on boot.

· The ActivClient CSP now use DER encoding for the CKA_SERIAL_NUMBER as required by PKCS#11 for X509 certificates.

· Added the option to prevent the user to cancel the Change PIN After First Use operation (DisableCancelChangePINatFirstUse).

· Added the option to send the PIN to the smart card even if the PIN is smaller than the Minimum PIN Length (DisablePINPolicyVerificationBeforePINCheck).

· Improved SCPL performances at OS boot time.

· SecureLogin SSO: Retrieve the Trinity windows credentials stored on the smart card card for migration.

· Added a confirmation message after a successful change PIN on first use after a Windows PKI logon.

· PKCS#11: Set the CKF_PROTECTED_AUTHENTICATION_PATH flag to the flags of TokenInfo.

· PKCS#11 SDK: Allow signing with CKM_RSA_X_509 mechanism.

· Added support for Card Profile 2011000000000000000000B8 (This may require Entrust Entelligence Desktop Manager 7.0 patch 97257).

· Added configuration to turn off the certificate pre-caching before Windows login.

· SDK: PKCS#11 2.11: C_Login can be called with a NULL PIN and will display the ActivClient Enter PIN dialog.

· CAC Profile V2: The ActivClient User Console now displays correctly the name of the encryption certificate and signature certificate.

· Added a configuration to turn off the smart card auto-registration (This prevents PC/SC from taking 100% CPU for some type of cards).

· Added support for use of both synchronous/asynchronous OTP with the same smart card.

· gscBsiGcReadValue now returns the value zero instead of UNKNOWN_ERROR error if value length is null.

· Lock the workstation on card removal if card is used for PKI logon/unlock even in 'PIN per process' mode.

· Added support for Card Profile 2010000000000000000000BE. Add support for the Axalto Cyberflex Access 64K v2c smart card.

· Added support for the Card Profile 201100000000000000000038.

· OTP logins are not displayed anymore if the option to display the logins is disabled.

· The smart card is now logged out if the Change PIN On First Use dialog box is cancelled after a Windows PKI logon.

· Added support for the Oberthur CosmopolIC 64K V5.2 Fast ATR. Add support of Card Profile 2011000000000000000000A9.

· SDK: PKCS#11 2.11 Fixed an issue when writing a certificate to the smart card using PKCS#11.

· PIN per process configuration: PIN is now prompted even if the Screen Saver password is turned on.

· PIN per process configuration: Entering a wrong PIN in a PKCS#11 application no longer affects other PKCS#11 applications.

· Fixed an issue that made the system to be unresponsive during screen unlock in some rare cases.

· Outlook Enhancement: Auto Decrypt feature no longer removes the signature from the e-mail.

Fixes from ActivClient PKI Only 5.3.1 (including FIXS0607014, FIXS0606015, FIXS0510013):

· Solves a 2 minutes timeout during workstation unlock when the ActivClient User Console is opened with a smartcard containing PIN protected OTP information.

· Allows download of more than one smart card login or enrollment agent certificate on the user smart card (Before issuing the second certificate on the same smart card, the user must set the option 'Temporary use no default certificate' in the 'My Certificate Tasks' in ActivClient User Console. This behavior is only valid while the end user does not set a default certificate manually, do not remove his card, logout or restart the PC.).

· Avoid crash of the Advanced Diagnostics Tools, User Console/About, Smart Card Agent/About when too many Windows hot-fixes are installed.

· V2 Applet Performance Improvements.

· Data cache re-initialization no longer prompts for the PIN code if PIN code is still present in PIN cache.

· The C_Logout function no longer disables the PIN status for other processes when using the PIN Caching 'per process mode'.

· Entering an incorrect PIN code in a PKCS#11 application no longer affects other PKCS#11 applications.

· Improved the Windows PKI unlock performances after a manual unlock.

· Improved the auto configuration of the default certificate.

· Removed deadlocks when inserting a locked card to perform a Windows PKI unlock.

· Added new feature: periodic polling of smartcard reader presence.

· Quitting an application without disconnecting from the smart card no longer prevents other application to work properly.

· PKCS#11: Opening a second session after a smart card removal/insertion no longer reset the first session state.

2.3 What’s New in ActivClient Mini 5.5

ActivClient Mini is a new packaging option of ActivClient. It is a small footprint installer smart card middleware. i.e.: ActivClient Mini provides smart card oriented services via APIs (application programming interfaces) and its installation program is very small so that it can be deployed easily over networks.

The services provided matches the ActivClient SDK which includes PKI, SKI as well as static data management. ActivClient Mini shares its core components with the other ActivClient packages.

This means that ActivClient Mini provides support for:

· Windows PKI Login,

· PKI authentication to Microsoft VPN/Dialup

· Internet Explorer SSL V3 client authentication,

· Outlook S/MIME email signature/decryption

· Support for the Microsoft CA (auto-enrollment, self enrollment, enrollment on behalf of another user, automatic certificate renewal)

· Authenticode digital signature

· Applications that integrates with CAPI to use digital certificates/private key-pairs (Entrust ESP, Cisco VPN client, Checkpoint VPN client, Adobe Acrobat, etc…)

· Applications that integrates with PKCS#11 to use digital certificates/private key-pairs

· Entrust Entelligence Desktop

· Applications that integrates with GSC-IS 2.1 BSI to use digital certificates/private key-pairs or to access static data from the smart card (boot protection/ disk encryption applications)

· Applications that integrates with ACOMX to use generate a one time password or a response from a challenge, or perform PIN management operations (PIN init/change/unlock)

· Remote Desktop and Terminal Server smart card redirection

· Citrix smart card redirection

· Software automatic update

· Change PIN tool

· PIN initialization tool

· Advanced Diagnostics Tool

· Advanced Configuration Manager

· PIN unlock on card insertion when card locked

· Card auto-registration

· Certificate registration/de-registration on card insertion/removal

· No User Console

· No Outlook Enhancements

· No SSO components

· No One Time Password automatic fill

· No smart card reader driver is installed

Unless explicitly noted, ActivClient Mini supports the same environment as regular ActivClient version (same support for smart card and smart card reader, ActivIdentiity CMS, Citrix Metaframe, Microsoft Windows, etc…).

ActivClient Mini 5.5 improvements:

Branding of the product is changed from ActivCard to ActivIdentity

Installation improvements

· Installer small footprint (less than 6Mb)

· Single .msi file for the installer improves the deployability using ActiveDirectory GPO or Microsoft SMS as well as the customization (using tools such as ORCA to create .mst files).

· Installer is digitally signed (a version of the installer non-signed is available on the installation CD should it be needed for advanced customizations)

· Installation does not require reboot (except in Per-process PIN caching is used)

· Uninstallation does not require reboot unless ActivClient was used by an application (note that performing a Windows PKI login counts as application usage)

· Support upgrade from (note that the middleware configuration is not retained):

· ActivCard Gold 2.3.1 (no SP, SP1 or SP2)

· ActivCard Gold for CAC 2.2 (no SP, SP1 or SP2)

· ActivCard Gold for CAC PKI Only 3.0 (no FP, FP1, FP2)

· ActivCard Gold 2.2 J (no SP, SP1 or SP2)

ActivIdentity products support:

· Support Secure Login SSO v6 and Smart Card Password Logon

· AAA 6.4.1

New smart card support:

· Axalto Cyberflex Access 64K v2c

· Oberthur CosmopolIC 64K V5.2 with 300Kb ATR

· Support smart card initialized with ActivCard Gold (with the exception of cards with Match on Card applets)

New smart card reader support:

· O2micro 0Z773 rev A (Keyboard)

· Omnikey PCMCIA Cardman 4040

· Omnikey USB Cardman 3121

· Omnikey Cardman 5121 (Dual Interface) – in contact mode only

· Omnikey Cardman 5125 (Contact and HID) – in contact mode only

· SCR 338-03

· SCM 338-04 (Keyboard)

Citrix support:

· Citrix Presentation Server 4 with Hotfix Rollup Pack PSE400W2K3R01 - For Citrix Presentation Server 4.0 and Citrix Access Essentials 1.0 for Windows Server 2003

· Citrix Presentation Server 4 with Hotfix Rollup Pack PSE400W2KR01 - For Citrix Presentation Server 4.0 for Windows 2000 Server

Pin Initialization Tool:

· Can initialize blank card including setting the PIN code for a specific set of smart card.

· Can reinitialize the PIN code of a card without secret and securely erase the whole content of the smart card

· Card initialized by that tool cannot be unlocked, they can only be reinitialized

· Very user friendly: just choose your new PIN code!

Advanced Configuration Manager:

· The Advanced Configuration Manager can now be launched even if the user does not have local administrator privileges. In that case, the user only sees a subset of the options including the ability to turn logging on or off.

Performance improvements:

· Important performance improvements when using V2 applets.

· Additional performance tweaking possible via configuration

· Windows PKI Smart Card Login profiling to help identify the time spent in the smart card subsystem versus the general Windows login process

Card Manager blocked support:

· Display an informational message when the user inserts a GlobalPlatform smart card with a Card Manager in a blocked state.

Bug fixes and minor enhancements

The following is a list of ActivClient issues fixed in this release followed by the ActivCard hot fix reference (if a hot fix has been released previously).

· Added an option that prevents Change PIN at first use to be bypassed.

· Prevent system from being unresponsive during Windows screen unlock in some rare cases.

· PKCS#11: Private keys are no more reported as exportable.

· Static PIN unlock code is now working after re-initializing a card that had initially a dynamic PIN unlock profile

· PKCS#11: Add support of CKU_SO.

· Remove the requirement to logon as administrator after installing some hot-fixes.

· Added an option that prevents the user from choosing the same new PIN as the old one when changing PIN.

· Windows+L now can be used again to lock the workstation on XP.

· Fixed a crash on PKCS#11 when the smart card removed during a C_Finalize.

· Prevented a 30 seconds delay on boot.

· CSP now DER encodes CKA_SERIAL_NUMBER as required by PKCS#11 for X509 certificate.

· Improved Smart Card Password Logon performances at boot.

· SecureLogin SSO: Retrieve Trinity windows credentials stored on card (Now CKO_DATA_TRINITY value format is Username@Domain\Password).

· Add confirmation message after a successful change PIN on first use after a PKI logon.

· PKCS#11: Now set the CKF_PROTECTED_AUTHENTICATION_PATH flag to the flags of TokenInfo.

· PKCS#11: Allow signing with CKM_RSA_X_509 mechanism.

· Provide an option to disable certificate pre-caching before windows login.

· PKCS#11: support NULL PIN in C_Login.

· CAC Profile V2: encryption and signature certificate are now displayed appropriately.

· Allows disabling of card auto-registration (This prevents PC/SC from using 100% CPU for some cards).

· Allows using both synchronous/asynchronous OTP with the same smartcard.

· gscBsiGcReadValue now returns value zero instead of UNKNOWN_ERROR error if value length is null.

· Lock the workstation on card removal if card is used for PKI logon/unlock even in 'PIN per process' mode.

· Card is now logged out if change PIN on first use dialog box is cancelled after a PKI logon.

· PIN per process configuration: PIN is now prompted even if Screen Saver password is turned on

· PIN per process configuration: Entering a wrong PIN in a pkcs11 application no more affects other pkcs11 applications.

3. KNOWN PROBLEMS, SYSTEM REQUIREMENTS AND LIMITATIONS

This section describes issues known by ActivIdentity as of the release date, but which have not been addressed in the current product version. When possible, fixes and workarounds are suggested. This section also describes known limitations of this release.

3.1 Supported Platforms

The following operating systems are supported by ActivClient (32-bit package): Microsoft Windows 2000 SP4, Windows XP Professional (SP1 and SP2), Windows XP Home Edition (SP2), Windows Server 2003 (no Service Pack and SP1, R2 and SP2), Windows Vista.

The following operating system are supported by the ActivClient 64-bit Edition package: Windows Vista x64, Windows 2003 Server x64

The following operating systems are NOT supported: Windows XP x64, any IA64 edition of Windows, Windows Me, Windows NT4, Windows XP Tablet PC Edition, Windows XP Media Center Edition, Microsoft Windows 98 First and Second Edition and any prior Windows version. On Windows XP (Pro and Home Edition), Fast User Switching is not supported.

3.2 Installation and Uninstallation

Before you install/uninstall/upgrade ActivClient, you must remove your smart card from the smart card reader.

Windows local administrative privileges or domain administrative privileges are required to install/uninstall ActivClient.

Close all opened applications before you install or uninstall ActivClient.

Do not install another application while using the ActivClient setup.

3.2.1. Installing

If Microsoft Script Debugger is installed on your workstation, a Microsoft Script Debugger error message may appear during the ActivClient setup. Ignore this error message.

According to Microsoft Article ID Q258558: On Windows 2000, the Add/Remove Programs Control Panel applet sometimes displays a Windows Explorer folder icon for your application instead of the ActivClient icon.

Running the setup from a .zip file is not supported. First unzip the installation files into a temporary folder and then launch the installation from that folder.

In some cases, when you copy the ActivClient installation files to a disk with a FAT32 file system, you may see a “Confirm Stream Loss” error message. When asked if you want to proceed, click Yes and continue the installation.

For the best visual experience on Windows 2000 while using the PIN Change Tool and the PIN Initialization Tool, it is suggested to install Microsoft GDI+, otherwise the background bitmap will not be displayed in those tools. Windows XP and Windows Server 2003 users do not need to install GDI+ as it is already included in those versions of Windows. Microsoft GDI+ is freely available from: http://www.microsoft.com/downloads/details.aspx?FamilyID=6a63ab9c-df12-4d41-933c-be590feaa05a&DisplayLang=en

If you copy the CD image on a network drive, the welcome page (start.exe) will not work if the path is longer than 113 characters. Use directly Product\Setup.exe instead.

On Windows Vista, when you run the ActivClient installer, you may see a filename such as 226ac5.msi – this name is automatically generated and is the internal InstallShield file name for the ActivClient MSI.

3.2.2. Upgrading

When upgrading from ActivCard Gold (any versions), the password management features are no longer available

When upgrading from ActivCard Gold (any versions) and using an ActivIdentity smart card reader, the user must be logged in to Windows using a static password he manually typed. If this is not the case, the Windows screen lock may be triggered during the upgrade of the ActivIdentity smart card reader drivers and the user will not be able to use his smart card until the upgrade is completed. This issue appears if you upgrade by using directly the ActivClient MSI; it does not appear if you use the recommended setup.exe.

Note that when upgrading from a previous ActivClient version, ActivClient will reuse the installation directory that was used in the initial installation. This does not apply to upgrades from ActivCard Gold.

3.2.3. Uninstalling

To uninstall the product, use the Add/Remove Programs in the Windows Control Panel. Do NOT delete DLLs or files manually. ActivClient uses shared libraries. Deleting libraries may lead to subsequent problems when a new version is installed.

Due to a Microsoft Windows Installer limitation, when adding a feature during the modify process, you may be prompted for the source media (that is, the CD-ROM, local or remote directory).

A very small number of registry keys (including user registry keys) may be left behind after you uninstall the software. This has no adverse effect on the behavior of the workstation or on a future re-installation process. See the ActivClient Resource Kit for more information.

On Windows Vista, if you choose to uninstall ActivClient, you will see a warning: "Don't run this program unless you know where it is from and you used it before" -- this is a Windows limitation for MSI-based installers. You can safely proceed with the uninstall.

3.2.4. Repairing

When repairing the installation, the default configuration is restored (note: this may erase any change in the configuration, even configuration that was set by a customized setup or upgrade).

On Windows Vista, if you open Add/Remove Programs from the Windows Control Panel, the Repair button is not available for ActivClient. To access the repair feature, double click on the ActivClient entry – the installer starts, providing you with a Repair option.

3.2.5. Software Deployment with Microsoft SMS

If the user is logged in while a remote SMS installation of ActivClient is performed, the ActivClient Agent icon is not started automatically. The user can either perform a logout and then a login or start the ActivClient Agent manually from the startup folder.

The ActivClient Agent icon is still active after a remote uninstall with SMS. You must log off and log on again for the uninstall to be completely effective. Use the install process to configure SMS so that it requests logoff/logon after package uninstallation.

When ActivClient is removed by SMS, it still appears in Add/Remove Programs in the Windows Control Panel. When you try to uninstall, an error message appears the first time, then the option disappears.

3.2.6. Smart Card readers and drivers

RSA Private Key operations (generation and signature/decryption) are not supported when the O2Micro 0Z773 rev A (Compacq keyboard), driver version 1.3.7.7, smart card reader is used in conjunction with the Axalto Cyberflex Access e-gate 32k (ATR : 3B 75 94 00 00 62 02 02 01 01).

The GTCARD Texas Instrument reader is not supported when used with the Oberthur Cosmopolic 64K V5.2 & V5.2D (in contact mode) in Fast ATR Mode (ATR : 3B DB 96 00 80 1F 03 00 31 C0 64 77 E3 00 82 90 00 C1).

If the ActivIdentity smart card reader driver is uninstalled (either from a modify or uninstall operation), and then reinstalled, the user may have to either unplug and then re-plug the device or restart the PC before the device can be seen by the PC.

Issuance of a PIV smart card is not supported with the Precise Biometric 100MC. Use instead the Precise Biometric 200MC.

RSA Private Key operations (generation and signature/decryption) are not supported when the SCM SDI010 is used in contact mode under Windows 2000 SP4 with the Axalto Cyberflex Access 64 K V2c.

Certificate download is not supported when the SCM SDI010 is used in contact mode under Windows 2000 SP4 with the Gemplus GemXpresso PRO 64K R3 v2 (FIPS) using a fast ATR.

RSA Private Key operations (signature) are not supported when the Omnikey Cardman 5321 is used in contact mode under Windows 2000 SP4 with the Gemplus GCX4.

For additional information about ActivIdentity smart card readers and ActivKey USB Tokens, refer to the ActivIdentity Device Installer documentation.

3.3 ActivClient PKI Services

3.3.1. Automatic Certificate Availability

Certificate availability options are only applicable to user certificates, not CA certificates.

If you use the ActivClient automatic certificate registration (which is enabled by default), we recommend that you disable the equivalent Windows certificate propagation feature. For some smart card configurations (such as the DOD Common Access Card, the US Government PIV, and cards issued by ActivID CMS), the ActivClient mechanism adds a “friendly name” (compared to the Windows method) which will be useful to identify certificates. To guarantee that the ActivClient mechanism registers the friendly name, the Windows mechanism should be disabled. To do so, on operating systems prior to Windows Vista, under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ set the ScCertProp registry value Name “Enabled” to "0". On operating systems starting with Windows Vista, disable the “Certificate Propagation” service.

On Windows Vista, some ActivClient services may start slowly, which will cause delay in the automatic certificate registration. This is due to user processes started in “BelowNormal” Priority on Windows Vista, to speed up services startup – this is a Microsoft Windows Vista design. Once all services are started, user processes such as the certificate registration return to “Normal” Priority and become responsive.

The ActivClient “Remove certificates from Windows on logoff” option requires the card to still be inserted in the reader during the logoff operation.

3.3.2. Windows PKI Logon

If your smart card has been configured so that you are required to change your PIN code on first use, and if the first application you log on to is Windows PKI Logon, then you will immediately be prompted to change your PIN code after you have logged on.

If you insert a new smart card type (not supported by ActivClient by default) during Windows PKI logon, the following message appears:

"The card supplied drivers are not present on this system. Please try another card."

Remove the card and reinsert it. The card will then be automatically registered to the system for regular usage (if the system recognizes the card and the ActivIdentity applets supported by this version of ActivClient).

After a Windows PKI Login, when attempting to unlock a Locked workstation, and providing a wrong PIN code, instead of "Incorrect PIN", the message "Cannot unlock desktop and can be unlocked only by the user or administrator" is displayed. This message is displayed by Microsoft Windows.

If you enter too many incorrect PIN codes, the warning "Last Attempt" is not displayed during a Windows PKI login. This is due to Microsoft Windows calling the ActivClient CSP in silent mode.

In some limited use cases, when setting ActivClient smart card removal policy to “lock” or “log off” on smart card removal, the workstation may lock or log off even if the smart card removed has not been used for Windows PKI unlock or Windows PKI Login.

The Windows PKI unlock workstation operation may be more lengthy on Windows XP SP2 than it is on Windows XP SP1. This is due to Microsoft Windows XP SP2 performing additional digital signatures with the smart card.

The ActivClient “card removal behavior” configuration should be set (enabled by default, set to “lock workstation”) and used instead of the equivalent Windows behavior. The ActivClient feature should especially be used on workstations where several smart cards may be inserted, to guarantee that only the removal of the card used to login to Windows triggers the session lock. To disable the Windows feature, on operating systems prior to Windows Vista, use the Microsoft Group Policy MMC snap-in: Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options / Smart Card Removal Behavior must be set to “No action”. On operating systems starting with Windows Vista, disable the “Smart Card Removal Policy” service.

If you install ActivClient on a Citrix server, then the opposite configuration should be set (enabling the Windows feature, disabling the ActivClient feature) to provide a session disconnect on smart card removal. See the Citrix section for details.

To perform a Windows PKI login with a Cryptoflex 8K, you must select a default certificate with the ActivClient User Console – the automatic certificate selection is not available due to the PIN-protected status of the certificates on this card.

The ActivClient “Enable performance logging for Windows PKI Smart Card Logon” option allows tracing detailed information during a Windows PKI logon operation. On Windows Vista, the smart card must have been inserted in the smart card reader right before the Windows PKI logon operation to have the PKI logon performance reported.

If you use a smart card configured with SMA (i.e. PIN encryption, compliant with FIPS 140-2 Level 3), then removing your card may not trigger the screen lock on Windows Vista, if the card is removed in the first minute or so, until Windows Vista has finished loading the necessary ActivClient processes and assigned them a “Normal” priority.

3.3.3. Microsoft Outlook

Attempting to hit <Cancel> or to close the "Enter PIN" dialog when signing an email message will result in a dialog box appearing several times before the operation can be aborted.

After receiving a signed email message, in some cases, successively trying <cancel> on the PIN dialog box may trigger the message "Can't open this item. Your key set cannot be found by the underlying security system."

To decrypt an email with Outlook, you must install Microsoft Enhanced CSP on the computer. This update is sometimes referred to as "the 128-bit version of Microsoft Internet Explorer."

Outlook certificate operations (including the Outlook Usability Enhancements) do not function properly when the user certificates are not trusted. Make sure that the issuing CA’s are trusted by Microsoft CAPI.

3.3.4. Microsoft Outlook Usability Enhancements

When Microsoft Word is used as the email editor, the security icons are not displayed.

The “Automatically add sender’s certificate to Outlook Contacts feature” prompts the user even if the certificate is already present.

When the option "Automatically add sender’s certificates to Outlook Contacts" is enabled and the "Contacts" folder is empty, it is not possible to cancel the operation of adding the certificate for the first received signed email.

When Microsoft Outlook is configured for Internet Mail Only, you need to first create a contact so that ActivClient can update it with all the correct information. In other configurations, the contact is created automatically.

If the “Card authentication management” is set to “disabled” in the Advanced Configuration Manager, then, when Outlook is restarted the PIN is requested again to sign email messages.

The Automatic certificate registration with Outlook supports only one security setting.

The Automatic certificate registration with Outlook requires that an Outlook profile already exist.

To prevent overwriting existing settings, the Automatic certificate registration with Outlook adds an Outlook security profile but does not update the existing security profile by default. To update the existing security profile, you can use the ActivClient configuration “Force ActivClient Outlook security profile update on card insertion”, which is disabled by default.

In some configurations, when a certificate is being registered, the following warning message appears:

"A recently installed program may cause Microsoft Office or other e-mail-enabled programs to function improperly. Outlook can resolve this conflict without affecting the program that originally caused the problem. Do you want Outlook to resolve this problem?" Select No.

If Outlook displays the error message "Your Digital ID name cannot be found by the underlying security system." while you are trying to send a signed or an encrypted email message, then you must select the appropriate certificate from the Outlook Security settings.

3.3.5. Internet Explorer

In some cases, the friendly name for the signing certificate is not set.

Depending on the security policy of your smart card, certificate update/renewal operations using the web browser or the MMC certificate snap-in may not be allowed. When trying to do so, the content of the card is not modified even if in some case there is no error message. This also applies to U.S. Department of Defense-issued Common Access Cards (CAC).

The U.S. Department of Defense-issued Common Access Cards' certificate names are not differentiated in the Internet Explorer browser. When visualizing card certificates in an IE browser or during an SSL authentication, all three certificates have the same name. The workaround is to use the friendly name (ID, Signature or Encryption certificate) visible in the same window. This also applies to FIPS 201 compliant PIV cards.

If you perform a certificate request using Internet Explorer when the card is full, the default certificate is replaced by the recovered certificate. To prevent a warning to users before this process, set the ActivClient registry key HKLM\Software\ActivCard\ActivClient\CSP\EnableReplaceCertDisplay to 1.

3.3.6. Windows EFS

For detailed information about Microsoft Encrypting File System, you may refer to Microsoft documentation such as:

http://www.microsoft.com/technet/windowsvista/security/protect_sensitive_data.mspx#EGJAC

http://windowshelp.microsoft.com/Windows/en-US/Help/196e3453-e553-4af3-8220-bdee6e60148c1033.mspx

In some rare conditions, when trying to encrypt a file with a new encryption certificate (on a machine where a different encryption certificate was used previously), Windows will prompt the user that a restart is required. This issue is fixed with Windows Vista hot fix 937063, available from Microsoft customer support.

ActivClient includes an automatic EFS configuration feature (by automatically selecting the smart card certificate that EFS will use). This configuration option, “Configure Windows EFS with smart card certificate”, is enabled by default. This option is applicable only for the initial configuration. If you want to update the EFS certificate later and re-encrypt your files with a new certificate, you will need to use the “Manage your encryption certificate wizard” – refer to the ActivClient User Guide for details.

3.3.7. Firefox / Mozilla / Thunderbird / Netscape

The card authentication certificate of a PIV smart card is not displayed by Firefox / Mozilla / Netscape. This is because the web browser does not support empty subject name.

Before starting installation of the ActivClient Firefox / Mozilla / Thunderbird / Netscape support module, any of the applications Firefox, Mozilla, Thunderbird and Netscape should be closed. In addition, you should not have any PIV end-point smart card inserted in the smart card reader during removal of this module.

When using a PIV card for email signature on Netscape, the ActivClient PIN Caching setting should be enabled.

3.3.8. Entrust Entelligence Desktop Solution

When performing an Entrust Profile recovery, the ActivClient PIN may be requested four times even after canceling each time.

Entrust RA may delete an existing X509 certificate on the card when a new Entrust profile is created with Entrust RA.

The PIN may be requested several times during a profile recovery with Entrust RA.

The “Always ask the PIN code before performing any other operation” option is not compatible with Entrust support due to the way Entrust Desktop Solution uses the smart card.

Using the ActivClient user interface, it is possible to change the current smart card PIN code. Doing this while logged on to an Entrust session leads to a session break because Entrust is still using the old PIN code. Log out from Entrust before changing the PIN code with ActivClient.

It is not possible to create an Entrust profile on a card, when the card already contains one.

The Entrust SSO product is supported only with the ActivCard PKCS #11 v2 library.

If the Entrust application tries to access the smart card resource manager and an error is logged in the event viewer stating that the Entrust service is not responding, ignore this event if the service is correctly started.

Entrust Entelligence Desktop Solution uses its own PIN caching mechanism, independent of ActivClient PIN policies. As a consequence, after you logoff from Windows, Entrust will still allow you to access your smart card for PIN-protected operations (without requiring any PIN entry); while ActivClient will require you to enter the PIN for non-Entrust operations.

If your smart card is full for digital certificates (i.e. does not contain any available PKI applet instance), and if you perform an Entrust profile recovery, the old Entrust keys are maintained on the card, available to Entrust Entelligence applications. Also, as long as the old Entrust certificates are still available in the user’s Microsoft CAPI store, the associated keys are available to Microsoft CAPI-based applications (such as Outlook).

If your smart card already contains a secure channel protected X509 certificate, and you want to download an Entrust profile using Entrust Desktop Solution 7.0, you will need to install the following Entrust fix: Entrust Entelligence Desktop Manager 7.0 patch 97257.

In some configuration, if you encrypt a file with Entrust right after the creation of an Entrust profile, Entrust will seem to hang for a minute and then will recover. This behavior is not related to ActivClient and can be reproduced when storing the Entrust profile in software instead of using a smart card.

You cannot load an Entrust profile (for Entrust Entelligence Desktop Solution) on a Cryptoflex 8K. Existing Entrust profiles (loaded with ActivCard Gold) can be used with ActivClient.

3.3.9. Entrust Entelligence Security Provider

Enrolling an Entrust ID on a smart card that is full is not supported.

Update certificate on a smart card that is full is not supported.

Performing a recovery operation on an empty smart card creates three certificates instead of two.

If you use Entrust with 2 key pairs, and if you use a card profile with only 3 PKI (standard profile for 32K smart cards), then recovery of Entrust certificates is not possible: 4 PKI instances are required on the card by Entrust design. ActivIdentity recommends using a card profile with 6 PKI or more (typical with 64K smart card).

3.3.10. Other PKI applications

If Check Point VPN-1 SecureClient NG AI R55 is installed on your workstation, you can use it for smart card PKI login to your network. In some cases, it may return an error: “TokenLogin: Failed to get token from filename.” This is due to a collision between ActivClient automatic certificate registration and Microsoft automatic certificate registration. To resolve this error, on operating systems prior to Windows Vista, disable Microsoft automatic certificate registration by setting the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp, Enabled = 0 then restart your computer. On operating systems starting with Windows Vista, disable the “Certificate Propagation” service. In addition, if you just downloaded a certificate on your card, you will need to remove your card from the reader, insert it again (which registers the certificate in Windows) and then select the certificate in Check Point GUI.

If you have an application using PKCS#11 with a PIV card or a smart card with ActivIdentity V2 applets, if you lock and then unlock the Windows workstation with a password, PKCS#11will not erase the private key attributes (CKA_ID, CKA_LABEL, CKA_SUBJECT); However use of the RSA private key will require re-entering your PIN code.

3.4 ActivClient OTP Services

3.4.1. Check Point SAA component

If you install the ActivClient Check Point SAA module, then the uninstallation of this module will lead to errors. Also, the user is prompted to end the Check Point process during the uninstallation phase. To workaround this, you will need to restore the userc.c file that Check Point backed up at installation (in folder <Program Files>\CheckPoint\SecuRemote\database\backup\userc.c). After uninstalling ActivClient or removing the ActivClient Check Point module (via a Modify), the backup file must be copied to <Program Files>\CheckPoint\SecuRemote\database to replace the current userc.c file. A reboot is needed to this update to take effect.

If you install the ActivClient Check Point AAA module, the Check Point client is set to the SAA authentication mode; you cannot select another authentication mode – this is a Check Point limitation.

3.4.2. Automatic OTP generation via the ActivClient Agent

If you generate a One-Time Password via the ActivClient Agent, the OTP is placed in the Windows clipboard; previous content of the clipboard is no longer available for a Paste operation even after the OTP has been pasted.

3.5 ActivClient Common Services

3.5.1. User Console

The certificate time (Valid from/Valid to) displayed in the ActivClient User Console may differ from the time displayed in Internet Explorer. This difference is due to Internet Explorer using GMT while the ActivClient User Console uses the local time zone.

After changing the log file name in the Log File Options dialog box, both a file with the new name and a file with the old name appear in the selected directory.

ActivClient User Console is included by default in the PIN caching “include” list. Do not remove it from the list if you intend to use the ActivClient User Console.

Do not remove the card from the smart card reader while it is being accessed by applications (when the ActivClient icon on the taskbar is red). Also, do not remove the card if an error message appears in the ActivClient User Console.

On some models of the US Department of Defense Common Access Cards, there is an extra eight digit number at the end of the serial number printed on the back of the card. This extra number is not electronically recorded on the chip and thus is not part of the serial number displayed by the ActivClient User Console.

If you type a log file name that is longer than 259 characters in the Log File Options dialog box, then the dialog behaves as if the logging is disabled.

Deleting a certificate using the ActivClient User Console does not remove the link to the certificate in Microsoft CAPI. The certificate will still appear to be present in CAPI-enabled applications such as Internet Explorer or Microsoft Outlook, even though no private key operation will be available.

The "Remove certificates from Windows on smart card removal" option will not remove certificates that were imported from a PKCS#12 file on the same computer.

ActivClient User Console has some limitations with regards to compatibility with Microsoft Narrator when navigating the menus. ActivIdentity is currently working with the third-party company providing the User Console interface to provide a solution to this problem.

Icons in the User Console will display the first time after they are disabled. Those icons will be hidden in subsequent use of the User Console.

If you hide an icon in the User Console toolbar (via the ActivClient configuration option), and then attempt to display it again, it may not reappear. To show it again, in the User Console, go to View – Toolbars – Customize, go to the Toolbars tab, and select Reset All.

When using a CAC card from the DoD Contactless Pilot, the CHUID is not displayed in the User Console.

3.5.2. ActivClient Agent

If you insert a smart card upside down or on the wrong side and properly reinsert the card, the ActivClient Agent icon may still display "no smart card."

If you insert and remove your smart card several times in the smart card reader, the ActivClient Agent icon may still display "no smart card." Remove and reinsert the card in the smart card reader and the icon will be refreshed.

If your system is connected to more than one smart card reader, the ActivClient Agent only supports the first smart card it detects and does not support more than one smart card connected at the same time.

The ActivClient Agent may fail to detect the card insertion if a card is inserted briefly and removed immediately. In this case, you may be prompted twice for the PIN when you reinsert the card.

The ActivClient Agent may start slowly on Vista, and the menus (available via right click) may appear slowly – this appears only at the beginning of the Windows session. This is due to user processes started in “BelowNormal” Priority on Windows Vista, to speed up services startup – this is a Microsoft Windows Vista design. Once all services are started, user process such as the ActivClient Agent return to “Normal” Priority and become responsive.

3.5.3. Troubleshooting Wizard

If your system is connected to more than one smart card reader, the Troubleshooting Wizard only diagnoses the first smart card it detects and does not support more than one smart card connected at the same time.

The Troubleshooting Wizard incorrectly reports that the smart card reader driver is not installed correctly when the smart card reader is unplugged.

When the smart card is removed while the Troubleshooting Wizard is running, it may display incorrect information about whether or not the card is properly inserted.

The Troubleshooting Wizard is included by default in the PIN caching “include list”. Do not remove it from the list if you intend to use the Troubleshooting Wizard.

If you use the ActivClient Troubleshooting on Windows Vista, the window may appear “Not Responding” while the troubleshooting is performed. When the troubleshooting process is complete, the results are displayed in the window, as expected.

3.5.4. Diagnostics Tool

The Advanced Diagnostic Tool may freeze if your smart card reader driver are not the latest smart card reader drivers installed from the device manufacturer, please ensure that you have the latest smart card reader drivers installed from the device manufacturer.

3.5.5. Advanced Configuration Manager

In some cases, you may see a refresh issue when you update some configuration settings in the ActivClient Advanced Configuration Manager. Close and start the tool again.

3.6 Other

3.6.1. Generic Smart Card Services

The ActivClient smart card automatic registration mechanism does not support double ATR smart cards. For such cards, an ActivClient update (hot fix) is needed to support a new smart card model.

The ActivClient smart card automatic registration mechanism does not support bi-protocol (T=0 and T=1) smart cards. For such cards, an ActivClient update (hot fix) is needed to support a new smart card model.

If you use smart cards supporting only the T=1 protocol (i.e. that do not support the T=0 protocol), you will see error messages in the event viewer, such as “Smart Card Reader ‘ActivCard ActivCard USB Reader C2 0’ rejected IOCTL SET_PROTOCOL: The request is not supported.” These errors are due to ActivClient attempting a T=0 connection before using a T=1 connection. Such errors can be ignored.

For some updates to the content of the smart card, if the card is not recognized properly anymore or if the user does see the changes to the smart card, then it is recommended to start the ActivClient User Console, use the “Forget state for all cards” option from the menu Tools | Advanced and remove and reinsert the smart card in the smart card reader.

If you use a smart card on workstation A and then update the card content (including the PIN policy) on workstation B, you may need to perform a "forget all card state" on workstation A for the changes to be visible.

If you initialize smart cards with AAA Server (without ActivID CMS), then the PIN policies Minimum PIN length, Maximum PIN length and Weak PIN are not updated by AAA; the policies defined earlier in the card are preserved and will continued to be used by ActivClient.

If you update the ActivClient configuration from GSC-IS preference to PIV preference (or vice versa), you will need to perform a "forget all card state" in the User Console to guarantee that cards previously used on the workstation will be seen with their new configuration.

32-bit applications using ActivClient middleware services on a 64-bit operating system (using the 32-bit APIs included in ActivClient 64-bit edition) cannot leverage the ActivClient PIN caching “include list” and “exclude list”.

32-bit applications using ActivClient middleware services on a 64-bit operating system and using more than one API (e.g. PKCS#11 and BSI) need to implement PIN authentication separately to each API if the ActivClient PIN caching is configured “per process”.

3.6.2. CMS Issuance station

When ActivClient is used as an issuance station with the ActivID Card Management System, the recommended card removal behavior option is “no action.”

When issuing a smart card with a certificate coming from the Microsoft CA, to work properly, CMS 3.8 requires a hotfix. Please contact customer support to obtain this hotfix.

3.6.3. CMS My Digital ID Card

Before using ActivClient with CMS My Digital ID Card version anterior to CMS 4.0 SP3, you need to install MFC 71 redistributable package for My Digital ID Card to work properly.

With CMS 3.8 or 4.0 (any SP), CMS My Digital ID Card is not supported when accessed from 64-bit environments – it will be supported only with CMS 4.1.

3.6.4. Citrix

To enable the smart card services, you must create or modify the following registry entries on the Citrix server:

1. Open the Windows Registry Editor and navigate to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook

2. From the Edit menu, select Add Value and enter the following:

Value Name: Flag

Data Type: REG_DWORD

Data: 80000000

3. From the Edit menu, select Add Value and enter the following:

Value Name: FilePathName

Data Type: REG_SZ

Data: scardhook.dll

To obtain a Citrix disconnection on smart card removal, you need to have a specific configuration for ActivClient and for Windows.

1) Set the ActivClient configuration to “No action” using the ActivClient Advanced Configuration Tool.

2) Set the Windows configuration to “Lock on smart card removal” by using the Microsoft Group Policy MMC snap-in: Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options / Smart Card Removal Behavior must be set to “Lock Workstation”.

3) On operating systems starting with Windows Vista, set the “Smart Card Removal Policy” service to Automatic to guarantee that the policy defined in step 2 is taken into account.

On the Citrix server, you need to disable the Microsoft automatic certificate registration. On operating systems prior to Windows Vista, set the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp, Enabled = 0 then restart your computer. On operating systems starting with Windows Vista, disable the “Certificate Propagation” service.

Because of a limitation of the Citrix PC/SC smart card redirection, it is recommended to install ActivClient on a Citrix server directly on the physical console. If it is not the case, then the first use of each smart card type may not be successful until the card has been removed and reinserted. As well, the exact card model will not be available.

If you use ActivClient in a Citrix Presentation Server environment, make sure that only one smart card reader is connected on the end-user workstation (connecting to the Citrix server). If two smart card readers are connected, disconnect one reader and restart your Windows session (logoff, login again). Note: The ActivIdentity ActivKey Token installs a virtual reader that is considered as always plugged. As a consequence, do NOT install the ActivKey driver if you don’t use this device.

When ActivClient is installed on the Citrix server, card management operations such as certificate download or PIN change operations are not available within the Citrix session.

If ActivClient is installed both on the Citrix client and on the Citrix server, and if you perform a Change PIN operation using ActivClient installed on the client workstation, you are prompted to re-authenticate when you access the smart card using ActivClient on the Citrix server. Note that the “PIN try” counter is then decremented by 1.

If ActivClient is installed both on the Citrix client and on the Citrix server, and if you perform a card content change with ActivClient installed on the client workstation (e.g. adding a new certificate), you will need to perform a card removal/insertion to access these card content changes.

If you use your smart card locally on your workstation, you will be prompted for the PIN to access the smart card again from your Citrix session – independently of your ActivClient PIN policy (PIN cache). This is due to the fact that both instances of ActivClient (on your workstation and on the Citrix server) are independent.

If you use a thin client with Windows CE.NET (tested with Neoware rev 7.0.3 based on Win CE 4.20), disconnect on smart card removal is not supported; do not remove the smart card during a Citrix session. To correctly disconnect or logoff, you must use the Citrix disconnect or logoff menu and then remove the smart card.

If you use a thin client with Windows CE (tested with Wyse S30 based on Win CE 5.0), certificate download on the smart card may require several PIN entry.

If you use your smart card to login to the Citrix session with a PKI login, a new PIN prompt will appear for additional smart card services inside the Citrix session. This is related to the design of Windows Terminal Server.

If you use Citrix in published application mode, you are not logged off when you close the last application. This is due to some ActivClient services (acevents.exe and accrdsub.exe) that remain active under the users context. A workaround is described in Citrix Knowledge Base: article CTX891671.

Under some stress conditions (network bandwidth, latency, load of the Citrix server), card events such as card removal may be reported with a few seconds delay to ActivClient. Until ActivClient is aware of those changes, it will try to function like if the card was still present in the reader.

Before accessing a Citrix server via the web interface, the card should be removed from the smart card reader and reinserted only when prompted. Failure to do so may freeze the session.

If you open a session on the Citrix server with computer A with a smart card and then moved on to computer B and establish a session to the same Citrix server, you will have to type your PIN code twice.

When ActivClient is installed on a Citrix server, it may lead to events appearing in the Event Viewer on the server, such as: Unable to start a DCOM Server, The error “the system cannot find the path specified” happened while starting command C:\Program Files\ActivIdentity\ActivClient\acevents.exe. This event has no impact on ActivClient functionality.

If you enable ActivClient log files on a Citrix server, be aware that log files will grow very fast due to the logging of all users’ operations. Only enable logging when prompted by ActivIdentity customer support.

3.6.5. Microsoft Terminal Server and RDP

When ActivClient is installed on the Terminal Server, card management operations such as certificate download or PIN change operations are not available within the RDP session.

If ActivClient is installed both on the RDP client and on the Terminal Server, and if you perform a Change PIN operation using ActivClient installed on the client workstation, you are prompted to re-authenticate when you access the smart card using ActivClient on the Terminal Server. Note that the “PIN try” counter is then decremented by 1.

If ActivClient is installed both on the RDP client and on the Terminal Server, and if you perform a card content change with ActivClient installed on the client workstation (e.g. adding a new certificate), you will need to remove and insert again your card to access these card content changes.

If you use your smart card to login to the RDP session, a new PIN prompt will appear for additional smart card services inside the RDP session. This is related to the design of Windows Terminal Server.

If you use smart card services inside a RDP session, some PIN-protected operations may require a new authentication even if an authentication already occurred.

When ActivClient is installed on a Terminal Server, it may lead to events appearing in the Event Viewer on the server, such as: Unable to start a DCOM Server, The error “the system cannot find the path specified” happened while starting command C:\Program Files\ActivIdentity\ActivClient\acevents.exe. This event has no impact on ActivClient functionality.

If you use the Windows Remote Desktop Connection client 6.0 (available on Windows Vista, also available via software update on Windows XP) to connect to another workstation or to a server with Windows Terminal Server, then ActivClient must be installed on the client workstation for the smart card services to work in the RDP session. This limitation does not exist with Remote Desktop Connection client 5.0. To workaround this limitation, on the client machine, save the remote desktop connection (.rdp file), open it with Notepad and add the following line: “enablecredsspsupport:i:0 “, then save the file and use it whenever you want to open a connection. This configuration disables the local authentication and proceeds to authentication only when on the remote desktop.

If you enable ActivClient log files on a Windows Terminal Server, be aware that log files will grow very fast due to the logging of all users’ operations. Only enable logging when prompted by ActivIdentity customer support.

3.6.6. Notification Services

Smart Card and Certificates Expiration Notification: For CAC cards, if the user did not perform a Windows PKI login, then ActivClient uses the smart card certificate expiration date to determine the smart card expiration date.

Unattended Smart Card Notification: When disconnect from a Citrix Presentation Server or a Windows Terminal Server or Remote Desktop session, ActivClient does not display a notification if the smart card is left in the smart card reader.

Unattended Smart Card Notification: On Windows Vista, the “unattended smart card” notification is not displayed (when the card is left in the card reader at lock, logoff or shutdown), due to Windows Vista design with regards to performance improvements. Instead, a beep is used to notify the user.