NHS Credential Management v1.3.1.0

NHS Credential Management is required to enable NHS CIS2 Authentication via smartcards.

The majority of internal NHS England services are now integrated with NHS CIS2 Authentication. Some services have been given extra time to integrate with or migrate to CIS2 authentication to allow them meet existing  commitments.

All workstations using CIS1 or CIS2 Authentication should have NHS Credential Management installed now.

For a full list of compatible platforms, check the SPINE Warranted Environment Specification (WES).

Microsoft .NET 4.8 is the minimum .NET framework required.

The use of NHS Credential Management under other environments such as Citrix / VDI / Terminal Services is supported, except when using on a workstation performing Card Management services.

Download NHS Credential Management v1.3.1.0 (requires HSCN connection) 

The single download includes the components:

• NHS Credential Management
• NHS Port Service

Admin rights are required to install or uninstall this application.

Note

These applications are hosted on the DIR downloads page. To access this site, you must have a secure NHS HSCN connection. If for example, you are using a personal laptop, or not connected via VPN when working from home, this will be the reason you see a blank page or page not found error.

PIV mini driver for series 9 smartcards

The PIV mini driver is essential for users with series 9 smartcards.

The mini driver should already be present if automatic Windows updates are enabled. If it's not present, you should download the PIV mini driver and follow the installation instructions.

It is strongly recommended that you uninstall any previous versions of NHS Credential Management before beginning any new installation. No other programs are removed as part of this process.

Early releases of NHS Credential Management (during 2020) had a different name: NHS Identity Hub. You must uninstall these before starting a new installation.

To uninstall NHS Credential Management

Go to Control Panel => Programs and Features and double-click on NHS Credential Management file in the panel.

Once NHS Credential Management has been uninstalled, the icon will be removed from the Programs | NHS Credential Management area of the Applications screen on a Windows 10/11 machine.

Note: the NHS Port Service will be stopped and removed from the machine during the process of uninstallation.

To install NHS Credential Management, double-click on the .msi file you downloaded and follow the prompts by selecting ‘Next’ on each window as required.

Software will be installed in the following locations:

• C:\Program Files (x86)\NHS Digital\NHS Credential Management
• C:\Program Files (x86)\NHS Digital\NHS Port Service

Select ‘Finish’ once the installation has completed to close the installation dialogue box.

Silent installation

NHS Credential Management supports a silent installation using standard deployment toolsets that recognise .msi packages, or if installing via a script the following command line can be used:

%SystemRoot%\System32\msiexec.exe /i "NHS.CredentialManagement.Setup-1.3.1.0.msi" /qn

Launch

Once NHS Credential Management has been installed, an icon will be placed in the Programs | NHS Credential Management area of the Start Menu. On Windows 10 devices, an icon will also be placed on the Applications screen.

NHS Credential Management does not automatically start after installation but will automatically start on a subsequent user login or machine restart.

Close

An icon will be visible in the system tray when NHS Credential Management is running. The program can be closed by right clicking on this icon and selecting Close. Right clicking and selecting Status will show the currently installed version.

Log paths

NHS Credential Management logs can be found under the path below:

C:\Users\{username}\AppData\Local\HSCIC\NHSCredentialManagement

NHS Port Service logs can be found under the path below:

C:\ProgramData\HSCIC\NHS Port Service

As part of the NHS Credential Management installation, the NHS Port Service will be installed on a machine and will automatically start.

This service is required for NHS Credential Management to function correctly and should not be stopped or barred from executing.

Internet options settings

NHS Credential Management should work without any configuration, if the default settings have not been modified.

To check that Windows is configured as required, navigate to Control Panel >> Internet Options >> Security >> Local Intranet >> Sites

If ‘Automatically detect intranet network’ is unticked and the other three checkboxes are checked as below, then no configuration should be required for NHS Credential Management.

Group policy settings

There are some Chrome and Edge specific group policy settings which can block NHS Credential Management from working if they have been set.  The error you will see if this is happening is the generic error saying that NHS Credential Management isn’t installed or isn’t running:

There are other possible reasons for seeing the above error. But if NHS Credential Management and the NHS Port Service are running, and in particular if everything works in one browser (eg Edge), but not in another (eg Chrome), then it is worth checking the group policy settings.

Note: Changes to group policy settings will need to be made by your local IT team.

For Chrome

To see the Chrome specific group policy settings applied to your machine, browse to chrome://policy using your Chrome browser.

The setting which causes a problem is:

BlockThirdPartyCookies

If this is set to true then NHS Credential Management will fail to work in Chrome.

To fix this issue, either:

• add 'localhost' to the CookiesAllowedForUrls group policy setting
• set BlockThirdPartyCookies to false

More details:
https://chromeenterprise.google/policies/#BlockThirdPartyCookies

https://chromeenterprise.google/policies/#CookiesAllowedForUrls

For Edge

To see the Edge specific group policy settings applied to your machine, browse to edge://policy using your Edge browser.

The setting which causes a problem is:

BlockThirdPartyCookies

If this is set to true then NHS Credential Management will fail to work in Edge.

To fix this issue, either:

• add 'localhost' to the CookiesAllowedForUrls group policy setting
• set BlockThirdPartyCookies to false

More details:
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#blockthirdpartycookies

https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#cookiesallowedforurls

Cookie settings

The same issue seen in the section above on group policy can also be caused by the cookie settings in Chrome and Edge if they have been changed from the defaults. Specifically, the browser needs to allow cookies for localhost. 

In Chrome:

On the top-right corner of the chrome browser window you will see the customise menu icon (three vertical dots). Select the 'Settings' menu item.

Select 'Privacy and security' and then 'Third-party cookies'.

By default the 'Block third-party cookies in Incognito' option is set. This is fine (as long as you're not using Incognito mode). However, on some machines the setting may be either 'Block third-party cookies' or 'Block all cookies'.  In that case, NHS Credential Management will not work.

The fix is to either:

• select the 'Block third-party cookies in Incognito' option
• select the 'Allow all cookies' option
• add 'localhost' into the 'Sites that can always use cookies' section, and check the box saying 'including third-party cookies on this site'

In Edge:

In the top-right corner of the Edge browser window you will see the settings menu icon (three horizontal dots). Select 'Settings' within this menu.

Select 'Cookies and site permissions' in left hand panel and then 'Manage and delete cookies and site data'.

If 'Block third-party cookies' is set, then NHS Credential Management will not work.

The fix is to either:

• change the setting to “Allow sites to save and read cookie data” (which is the default option)
• select 'Add' in the 'Allow' section, add 'localhost', and select the checkbox saying 'Include third-party cookies on this site'

The NHS Credential Management application and NHS Port Service allow all CIS applications to be accessed without the use of Java applets and from most modern browsers, including Edge and Chrome.

It is an additional component for end user machines, and will work alongside any existing NHS Identity Agent. It does not prevent anyone continuing to use Java applets and Internet Explorer if they want to.

Please note that these legacy setups are not supported, and this is included for information only.

Read more information on legacy setups (needs HSCN connection).

.NET 4.8 Missing

When attempting to install NHS Credential Management, you may see the following error:

This happens when the machine does not have .NET Framework 4.8 installed.

To resolve this, install .NET Framework 4.8 and try again.

Multiple versions installed

NHS Credential Management does not currently remove any previously installed versions prior to installation of a new version. Instead, attempting to run both versions simultaneously will display an error saying that the application is already running.

Should multiple versions be installed, remove all installations of NHS Credential Management. Once all existing installations have been removed, the correct version of NHS Credential Management can then be installed.

NHS Port Service not running

If the NHS Port Service is stopped and a user attempts to access Spine or any application, they may see the following error:

To fix this, navigate to Services with admin privileges and search for NHS Port Service. Start the NHS Port Service and then NHS Credential Management should start without issues.

It is mandatory to keep the NHS Port Service running always while using NHS Credential Management. So, to avoid this error it is recommended to never stop the NHS Port Service manually.

Windows credential prompt while accessing web applications

If you see this prompt, the machine is not configured correctly to use NHS Credential Management. To fix this, go to the configuration section of this guide and follow the instructions there.

If the issue is still not resolved then try the following steps.

Local Intranet Zone settings

Use the Windows start menu to navigate to Control Panel >> Internet Options. Go to the 'Security' tab and select 'Local intranet', and then the 'Sites' button.

Verify the checkboxes are as shown in the image below.

Select 'OK' to exit that window, and then select 'Custom level'.

In the 'Security Settings - Local Intranet Zone' window, scroll to the bottom and under 'User Authentication', make sure 'Automatic log-on only in Intranet zone' is the option selected.

Select OK to exit the window. This should be all that's needed for NHS Credential Management to work.

If the issue persists, continue below.

Trusted Sites Zone settings

In the 'Internet Properties' window, select 'Trusted sites', and then the 'Sites' button.

Step 1: Check to see if any of the following entries are there in the websites list (do not modify the list):

• https://localhost
• http://localhost
• localhost

These entries are not needed for NHS Credential Management. If none of them are present, then move to the section below on restricted site zones. However, if one or more than one of these entries are in place for other reasons, then move on to step 2 below.

Step 2: In the 'Internet Properties' window, with 'Trusted sites' still selected, select the 'Custom level' button.

In the 'Security Settings - Trusted Sites Zone' window, scroll to the bottom and under 'User Authentication', make sure 'Automatic log-on with current username and password' is the option selected.

Select OK to exit the window, then try starting NHS Credential Management again.

If the issue persists, continue below.

Restricted Sites Zone settings

In the 'Internet Properties' window, select 'Restricted sites', and then the 'Sites' button.

If any of the following entries exist in the websites list, remove them and click the OK button.

• https://localhost
• http://localhost
• localhost

NHS Port Service start-up failure on VDI environment

On a VDI system, if the user is prompted with the above exception while the system is booting up and the user is using NHS Credential Management version less than 1.1.0.0, then follow these steps:

1. Stop the NHS Port Service.
2. Delete the following files.
   1. C:\Program Files (x86)\NHS Digital\NHS Port Service\PortStore.txt
   2. C:\Program Files (x86)\NHS Digital\NHS Port Service\DomainList.txt
3. Recreate the VDI image.

Note: CMS (Card Management System) operations are still not allowed on Citrix / VDI / Terminal Services.

No PIV mini driver

This error can be caused by a missing PIV mini driver.

Download the latest Microsoft PIV mini driver, install it with administrative rights, and restart the system. Check the PIV mini driver is present at the following system path (note the file path is named 'civ', not 'piv'):

C:\Program Files (x86)\CivMinidriver

Locked smartcard (series 9 only)

If you fail to enter the correct passcode via the contactless method, you will reach your maximum retries after 7 failed attempts. Should this happen, you can try an additional 3 attempts via contacted to recover the smartcard.

If your card is locked you can use self-service smartcard unlock.

If you cannot use self-service smartcard unlock then you will need to seek help from your Registration Authority to unlock your smartcard.

By default, the values set for contacted attempts is 10 and 7 via contactless.

Registration Authority staff need NHS Credential Management to use the new Magicard 300 printer. This printer will not work without it.

It's also needed for any application that uses NHS CIS2 Authentication, such as Care Identity Management or sending invitations to register in Apply for Care ID.

NHS Credential Management v1.3.1.0 is required for series 9 smartcards.