HealthCast

Observed:

When the upgrade to 4.12.3 was performed, the biometric prompt would not appear when the user clicked to activate the alternate logon.

Workaround:

Prior to the 4.12.3 upgrade:

Observed:

If the ParameterList tag is NOT in Connector's xml file for Connectors that do not require access checking or those that don't utilize username and password parameters - users get access denied error message.

Workaround:

Alternate Workaround:

Observed:

After installing the XA Client, notice the following files are not digitally signed with a certificate:

Recomendation:

If Virus scanners detect these as "infected" or otherwise quarantine the files, the product may not function as desired - therefore, it is recommended that virus scanner exclusions be put in place for these specific files.

Observed:

After running the update and rebooting, the device would no longer auto-launch EPIC after tapping in. Checking the Registry Setting for Auto Launch under TFA Settings indicates this is still set to TRUE. However, the application is not launching automatically.

Workaround:

Reinstalling "HealthCast ProxCard Epic Login Device.msi" resolves the issue

Observed:

When a screen saver is configured with a policy that does not include the path to the screen saver, and/or it uses a file name longer than the FAT/FAT32 8.3 file name length, the screen saver is started on the default desktop, meaning that it does not display on the currently visible privacy shield desktop as expected.

Workaround:

In the user group policy, specify the full path to the configured screen saver. Additionally, it may be necessary to move the screen saver file from the windows system32 directory to another non-file-redirected location (e.g. on x64 systems, c:\windows\system32 is redirected to c:\windows\syswow64 for x32 applications). Simply creating a new folder from the root of the C drive and moving the custom screen saver into this location while specifying the full path to this new location in the group policy allows XA to appropriately locate the screen saver and start it on the privacy shield desktop in the event Windows fails to start it on the active/visible desktop.

Observed:

When upgrading over a previous version of XA through the install wizard, user is intermittently prompted with the message: "This program may not have installed correctly".

Workaround (Recommended):

Upgrade using either batch file or command line installation methods.

Workaround:

Click "This program installed properly" to continue the installation. The product installs correctly.

Workaround:

Uninstall the previous version and reboot prior to installing this version.

Observed:

If the user taps a registered badge after a boot-up of a Windows 8.1 device, the log-in dialog accepts the credentials and attempts to validate them. The user interface is not displayed during this time, and the product appears hung. If the user reboots the device, then manually logs in, the product functions as desired and the user is presented with their Windows desktop. After the first successful local authentication, badge tapping functions as desired.

Workaround (Recommended):Configure the client to use remote authentication. When using remote authentication instead of local authentication, the problem does not occur

Workaround: Manually log into the Kiosk Mode log-in prompt, without using a badge tap of an authenticated card.

Fix (Recommended):

Add the following registry key values to the Citrix Credential Provider Whitelist to allow the Citrix XenDesktop Virtual Desktop Agent to allow the credential provider to load:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PortICA\CredentialProviderWhitelist\{84859443-655E-4E2F-944A-6617BE547D59}

(default)="HealthCast Proximity Card Credential Provider"

The client communication protocol uses the more secure INDY protocol by default (using port 15001) since 4.8 client, enhancing security when connecting to 4.6 or later server versions. If port 15001 has not been enabled in the load balancer, or has not been enabled on the server, connections to the server will fail.

Fix (Recommended):

Ensure the server is configured to allow port 15001 to function.

Add the port 15001 to the load balancer configuration if necessary.

This is a known issue with Windows 7 and above. These operating systems do not provide a notification that a change password tile was canceled.

Workaround: Press ctrl+alt+delete, then press escape to return to the secure attention sequence screen (SAS). The dialogs will re-appear

Workaround: Badge tapping functions even if the dialogs are not displayed. Tap a badge to being the log-in process.

XAautoUpdateInit requires write permissions to the program files/program files (x86) directories which is now automatically UAC enabled in Windows 8.1 and above. There is no known workaround.

AutoUpdate is no longer supported in the XA Client. Use HCI Deploy or other deployment tools to distribute Connector updates.

Observed: After installing and attempting to use the proximity card to tap into a workstation, an error message is displayed indicating the server could not be contacted. The server address can be resolved from the client. Telnet functions to connect to the server indicating that no firewalls are blocking communications.

This condition indicates that a code page may not be installed. Verify that code page 20127 (US-ASCII) is installed on the client device.

Affects Versions: All versions. Most prevalent on HP or other thin client devices running Windows XPe or 2009 embedded. Some Windows 7 embedded systems are affected.

Observed: When logging into Windows as an administrative user, the default shell (explorer) is started and the standard desktop is supposed to be displayed. However, instead of the Windows desktop, only a explorer file browser is launched with no desktop. UAC may prevent replacing the appropriate registry keys for the shell because the administrative user is forced to be recognized as a normal user which denies write access to the shell key.

Workaround: Modify the permissions on the following registry key:

HKLM\Software\Microsoft\Windows NT\current version\Winlogon

Add the specific administrator account(s) to the key and set full access. Group membership does not always apply appropriate permissions to contained accounts due to UAC.

Windows 10 requires a new procedure to function properly.

The display name field from the directory service is used when the server is configured for the WinNT provider and that field may not contain the users actual first and last name. To use the actual users first and last name fields, the LDAP provider must be configured and used on the server (requires XA Server 4.7 or above), or the Display Name field must be corrected in active directory to contain the users first, middle, and last names appropriately.

Additionally, the LDAP setting to use sn and givenName must be enabled to use the first name and last name fields of active directory.

The ExactAccess screen saver is designed for single session Kiosk Mode, and will only display a single active user on a system. On Windows 7+, it is possible to have multiple active sessions on the workstation, but only a single user will be displayed on the ExactAccess screen saver. This will not always correspond to the last active user, nor will it always be the first user to log into the system. The user displayed may be selected randomly.

This issue is only seen if you disconnect when an enrollment prompt is displayed.

The XA Application Desktop will not display portions of a full-background image or objects (such as controls or buttons) if they are positioned below the Wrapper links.

Workaround: Use a horizontal banner at the top of the screen and include the Lock and Logoff buttons directly underneath the banner. Ensure that these settings are set to display before the Wrapper links in the XML.

(XA Client 4.5.234 and above - most prevalent in RSM)

If the WatchForLogoff.exe process is terminated before the session is logged off, a COM Server warning will be displayed.

This is by design. The purpose of WatchForLogoff is to prevent Windows from completing the Logoff or Shutdown procedure before ExactAccess has performed a Graceful Logoff of all running SSO-enabled applications.

The situation where Windows will display the non-responsive application dialog is also exacerbated when the system is excessively taxed in either RAM or CPU usage. Windows will only grant an application five seconds to respond to a close notification before displaying the end task dialog. Swapping memory to disk (excessive RAM usage) can cause many applications to react beyond this time limit. Prematurely terminating this task will cause Graceful Logoff to fail.

Workaround: Do not click on the END TASK button when Windows displays the message indicating the process is not responding to the logoff or shutdown request. This will allow the Graceful Logoff to complete prior to shutdown or logoff. It will also prevent the COM Server warnings from appearing when ExactAccess Logoff is interrupted by a Windows logoff or shutdown event.

Another possible solution is to ensure that there are adequate system resources available for each user session so that disk swapping does not occur for the active users applications. It may also be necessary to reduce the number of user sessions allowed on a Citrix / Terminal Server to ensure adequate performance for each user session.

An alternate solution is to use the ExactAccess Logoff button to perform the logoff of a Windows session.