ReadMe for ActivClient® Hot Fix FIXS0912019.msp for ActivClient 6.1

·         asphat32.dll updated to version 2.5.0.32

·         acunlock.dll updated to version 6.1.3.14

 

Identifier: #62167

 

Subject:

Support of new card: Oberthur ID-One Cosmo 128K v5.5 #2.

 

Technical Description:

Oberthur ID-One Cosmo 128K v5.5 #2 card name and ATR have been added to the registry. The card is now registered in the product. In addition, ATR mask are now taken into account when registering a card.

 

Identifier: #62089

 

Subject:

"Auto-request return receipt for outgoing emails" modifies also "Delivery Receipt".

 

Technical Description:

There was confusion in Outlook settings and "Auto-request return receipt for outgoing emails" was modifying both "Request S/MIME receipt for all S/MIME signed messages" and "Tools-Options-Preferences-Email Options-Advanced Options-Delivery Delivery Receipt". ActivClient no more changes "Delivery Receipt" setting.

 

Identifier: #62058

 

Subject:

Prompted twice for the PIN when making a VPN connection right after Windows logon.

 

Technical Description:

Using AAC and Cisco VPN, user is prompted twice for the PIN when making a VPN connection right after Windows logon. If an application was checking if PIN is already checked when PIN prompt dialog box is opened, the checking function was returning immediately with “PIN not checked”; therefore the second application is asking again for the PIN. Now, the function that checks if PIN is already verified waits until the PIN dialog box is closed.

 

Identifier: #61529

 

Subject:

When attempting to save a diagnostics report ActivClient encounters an application error.

 

Technical Description:

When saving a report, Advanced Diagnostic tool crashes. A typo in file API usage was preventing report to be saved properly. The typo has been corrected.

 

Identifier: #60630

 

Subject:

RSA key pair may be set as default certificate.

 

Technical Description:

Default certificate flag was cleared only when the signing certificate was deleted (this must be the case with Entrust). Default certificate flag is now cleared when the default certificate is deleted without checking if it is the signing one.

 

Remark:

Cards that already have a RSA key pair set as default certificate, it is necessary to manually set the signing certificate as default using ActivClient User Console or recover the Entrust Profile.

 

Identifier: #60654

 

Subject:

Card slot number increments within Entrust Desktop Solutions.

 

Technical Description:

To solve an issue when a reader is unplugged then re-plugged, PKCS slot ID was incremented when re-creating slot list. The slot ID was also incremented when creating the list after a C_Finalize and C_Initialize. Slot ID is now reset to 0 during a C_Finalize but still incremented on a unplug/plug of reader before C_Finalize. This solves the issue and keeps behavior on reader unplug.

 

 

Identifier: #60739

 

Subject:

ActivClient locks the workstation after wakeup of Fargo Printer.

 

Technical Description:

Reader list is badly recomputed after Fargo Printer wakeup (readers information are not fully available when trying to find available readers). This has been corrected by trying again to re-compute the list when an error occurred on first building of the list).

 

Identifier: #59867

 

Subject:

Gemalto TOP DL GX4 144K FIPS (final ATR) cards are not supported.

 

Technical Description:

ActivClient now configures the final ATR for the Gemalto TOP DL GX4 144K FIPS card instead of the preliminary ATR. The card is now registered in the product.

Note: This card cannot be initialized with ActivClient.

 

Identifier: #59170

 

 

 

 

 

 

 

 

 

 

 

Identifier: #52992

 

Subject:

Citrix or RDP PKI logon is very long on slow networks like satellite, UMTS, wireless connection.

 

Technical Description:

During a Windows PKI logon, the ActivClient CSP accesses the Windows smartcard base service. When Windows PKI logon is done remotely (RDP/Citrix), each call to smartcard base service transits via the network. Network latency engenders an additional time for each smartcard base service call.  ActivClient CSP protects access to the smartcard with transactions to avoid communication to the card being corrupted when multiple applications use the smartcard. Before this fix, transactions were done at a low level (i.e. at each call to smartcard base service). With this fix, transactions are done at the CSP level. This reduces the number of smartcard base service calls by about 50%; this improves performance by about 60%.

 

In addition, the ReaderListPollingPeriod parameter is now set to 30 seconds. ActivClient 6.1 manages detection of reader plugging/unplugging in a RDP session (TSE/Citrix) by using winscard calls. Generally, these scard calls respond immediately and don't interfere with other processes. In some cases (such as UMTS, satellite connection), each call to Microsoft Smart Card Service (SCardSvr) takes several hundred milliseconds. By default with ActivClient 6.1 (on terminal server), the check of plugging/unplugging readers was done every second (1000 ms). This fix updates this value to 30 seconds (30000 ms). It is possible to change this value further by setting the following registry key: HKLM\Software\ActivCard\ActivClient\EventService\ReaderListPollingPeriod (DWORD) (with values in milliseconds – 30000 ms is used with this fix). This key is necessary only on the server: when ActivClient is installed on user workstations, this key is not used: a specific Windows device API is used instead to manage detection of reader plugging/unplugging (this Windows device API is not applicable in the case of remote sessions).

 

Note: Changing the registry key leads to a delay to detect reader plugging/unplugging on the remote machine.

 

Identifier: #57446

 

Subject:

FIXS0807002 prevents unlocking workstation with Wyse V10L TC terminal.

 

Technical Description:

On some communication error, a mutex was not freed. This engenders a deadlock. The mutex is now correctly freed when the error occurred.

 

Identifier: #56628

 

Subject:

Card logout prevents Thunderbird to sign emails.

 

Technical Description:

After a card logout (close CMS in Firefox for example), Thunderbird can no more send signed emails. Explicit card logout was preventing opened PKCS sessions to read public object. This is now fixed.

 

Identifier: #56796

 

Subject:

PKCS#11 API: Application crashes after calling twice C_Finalize function.

 

Technical Description:

Application crashes after the following sequence C_Initialize, C_Initialize, C_Finalize, C_Finalize. Application is not supposed call twice C_Initialize and C_Finalize. However ActivClient PKCS API (acpkcs211.dll) was returning CKR_OK on second call. To be compliant with PKCS standard, acpkcs211.dll now returns CKR_CRYPTOKI_ALREADY_INITIALIZED on second call. This must correct the issue if application properly manages the CKR_CRYPTOKI_ALREADY_INITIALIZED error code and no more call twice C_Finalize.

 

Identifier: #56605

 

Subject:

CSP API: CPSetHashParam function does not check the input parameter HP_HMAC_INFO (only HP_HASHVAL).

 

Technical Description:

CPSetHashParam returns “invalid parameter” error when using HP_HMAC_INFO. HP_HMAC_INFO flag is now supported by ActivClient CSP.

 

Identifier: #56096

 

Subject:

ActivClient 6.1 SP2 breaks the UPHCLEAN 1.6 on Citrix Server.

 

Technical Description:

After registering certificates on card insertion, a context was not properly freed. This is now fixed.

 

Identifier: #56094

 

Subject:

Signed email message closes after selecting cancel after being prompted to select the card reader.

 

Technical Description:

When cancelling ActivIdentity Select Card dialog box, signed email message closes and information is lost. This was a bug on window handles management when implementing AI Select Card dialog box. Window handles are now correctly managed.

 

Identifier: #56115

 

Subject:

Oberthur ID-One Cosmo 128K v5.5 and Gemalto TOP DL GX4 144K FIPS cards are not supported.

 

Technical Description:

Oberthur ID-One Cosmo 128K v5.5 card name and ATR have been added to the registry. The card is now registered in the product.

Gemalto TOP DL GX4 144K FIPS card name and ATR have been added to the registry. The card is now registered in the product.

 

Remark: These cards cannot be initialized with ActivClient.

 

Identifier: #56031

 

Subject:

PKI unlock may fail if “Intel PRO/Wireless Network Connection Software” is running

 

Technical Description:

When unlocking the workstation with a PIV card, winlogon.exe (for PKI logon) and Dot1XCfg.exe (Intel PRO/Wireless Network Connection Software) access concurrently to the card via the CSP. Winlogon requires that card keeps PIN ACR during the PKI logon phase. When Dot1Cfg.exe accesses to the card, the PIN ACR was lost. This prevents a correct functioning of winlogon. The correction consists of keeping PIN ACR during the PKI logon phase (PIN ACR is lost after the PKI logon).

 

Identifier: #55661

 

Subject:

Delay up to 8 seconds after inserting a card with certificates that do not allow PKI logon.

 

Technical Description:

When inserting a card with certificates that do not allow PKI logon, AAC may take 8 second before prompting PIN for unlocking the workstation. Cad discovery performance has been improved when no certificate can be set by default.

 

Identifier: #55723

 

Subject:

Applications based on Java SDK failed with FATAL ERROR when using option -Xcheck:jni.

 

Technical Description:

JNI wrapper used now native method to retrieve vector size instead of using inappropriate array size.

 

Identifier: #54843

 

Subject:

Gemalto TOP DM GX4 (FIPS) Standard card is not supported.

 

Technical Description:

Gemalto TOP DM GX4 (FIPS) Standard card name and ATR have been added to the registry. The card is now registered in the product.

 

Remark: This card cannot be initialized with ActivClient.

 

Identifier: #55044

 

Subject:

Giesecke & Devrient SmartCafe Expert 64K V2 card is not supported.

 

Technical Description:

Giesecke & Devrient SmartCafe Expert 64K V2 card name and ATR have been added to the registry. The card is now registered in the product.

 

Remark: This card can be initialized.

 

Identifier: #52875

 

Subject:

On Vista, ActivKey is not detected when Microsoft Select Card dialog box is displayed during a SSL authentication.

 

Technical Description:

MS select card dialog does not support Dongle. The reader list is not refreshed on device plugging. ActivIdentity has implemented its own Select Card dialog box to support dongle.

 

Identifier: #54332

 

Subject:

PKCS#11 API: C_InitPIN fails with CKR_DEVICE_ERROR if the card is already initialized.

 

Technical Description:

This feature is added to ActivClient to provide compatibility with integrations developed earlier with ActivCard Gold.

 

Identifier: #54608

 

Subject:

Occasionally, the workstation is not locked on card removal.

 

Technical Description:

This symptom is linked to two different issues:

·         Windows does not offer any capability to determine if the user authenticates to Windows with a username / password or a PKI-enabled smart card. To determine if the smart card has been used for the logon process, ActivClient checks if there is an opened smart card connection when ActivClient user processes are starting. If the card is removed before the ActivClient user processes are started, the workstation is not locked. To remove this limitation, ActivClient leverages a Windows logon event notification available on Windows XP; this notification is performed before the ActivClient user processes are started. Note: as this Windows logon notification package is not available on Windows Vista, this limitation is not fixed in this environment.

·         Windows does not offer any capability to determine if the user authenticates to Windows with a username / password or a PKI-enabled smart card. To determine if the smart card has been used for the computer unlock process, ActivClient checks if there is an opened smart card connection when the PKI unlock is detected. If the PKI Unlock is performed shortly after the PKI Logon, there may be conflict between the smart card connection for the PKI Unlock and the OpenCard Timeout from the previous PKI Logon (see the ActivClient PIN caching “OpenCard” feature described in the ActivClient Resource Kit): if the two operations occur at the same time, the smart card connection fails and is not available when ActivClient user processes are started, then the card is not considered as used for Windows PKI logon and therefore no action is done on the next card removal. To remove this limitation, ActivClient performs an additional smart card connection attempt after 100ms when the first one fails.

 

Identifier: #54142

 

Subject:

When performing a Windows PKI logon, the user sees an "Invalid Parameter" error if there was a communication error during the first card usage on the workstation.

 

Technical Description:

On the first card insertion, ActivClient detects the card edge and automatically selects the Windows PKI logon certificate: certificate with Enhanced Key Usage attribute containing “Smart Card Logon” and Subject Alternative Name attribute containing a UPN. This information is stored in the card discovery cache to improve performance for next logon operations.

However, if a communication error happens when ActivClient detects the card edge and reads certificates from the card, an incorrect certificate may be selected leading to the “Invalid Parameter” error. This issue cannot be fixed with ActivClient and is usually due to a reader driver issue – such an issue is usually fixed with a reader driver update.

In the case when the communication error is later fixed (new driver) or intermittent, ActivClient uses the incorrect information stored in the card discovery cache (leading to the Invalid Parameter error), until the user performs a “forget state for all cards” in the User Console.

With this fix, when there is a communication error, ActivClient no longer stores the certificate information in the card discovery cache. The impact is that when the communication error is fixed, the card discovery process will select the correct Windows PKI logon certificate; and users can perform a successful login (without doing a “forget state for all cards”).

 

Identifier: #54510

 

Subject:

ActivClient login processes continue to run after a logging in to Windows with a smart card. This leads to symptoms such as

·         the ActivClient Agent reporting continuously “Starting ActivClient Agent. Please wait”,

·         or if SecureLogin SSO is installed, the workstation does not lock on card removal.

 

Technical Description:

In some rare configurations, two smart card transactions interfere with each other, leading to the reported errors. To prevent such errors, some robustness improvements have been added around smart card concurrent usage.

 

Identifier: #54225

 

Subject:

When a certificate is downloaded on the card with ActivClient CSP, it may be selected incorrectly as default certificate for Windows login.

 

Technical Description:

ActivClient selects a “default certificate” for Windows operations as follows:

·         When there is no certificate flagged as “default certificate” on the card (for example US Department of Defense CAC cards), then, on the fly at the time of usage, ActivClient CSP determines which certificate is the default certificate. A certificate compatible with Windows PKI login is selected.

·         When a certificate is downloaded on the card with ActivClient CSP, then ActivClient determines if it should be flagged (written on the card) as a default certificate. In this case, Windows PKI login certificates and also Certificate Enrollment Agents (issued by Microsoft Windows Certificate Server) are flagged as default certificates.

In the second scenario, in some certificate configurations, ActivClient may incorrectly select a newly downloaded certificate as the default certificate, preventing smart card Windows login.

With this hot fix, ActivClient uses a refined algorithm to select the default certificate on the card.

·         If there is no default certificate on the card already, the new certificate is marked as default if it has the following attributes:
EKU smart card logon and UPN in the Subject ALT Name and Digital Signature KU
Or EKU Enrollment agent
Or EKU EFS

·         If there is already a default certificate on the card, the new certificate is marked as default if it has the following attributes:
EKU smart card logon and UPN in the Subject ALT Name and Digital Signature KU
Or EKU Enrollment agent