HealthCast

Known Issues

The following are known issues for all releases of XA client, unless otherwise indicated. They have been logged in HealthCast's internal issue-tracking system. The number assigned to the issue is listed, along with a brief description of the issue. If additional information, including a workaround, is available, that is also provided.

After a clean install of XA 4.12.3, installing the Epic Authentication Plug-in removes the fix for the repeated autologoff error.

Observed:

After a clean install of XA 4.12.3, installing any version of the Epic Authentication Plug-in prior to pre-release version 3.2.0.18 will downgrade the pubLauncherSF.exe file. Downgrading this file removes the fix needed to help resolve the repeated errors form the Autologoff.exe process stating "RPC Server is unavailable." Changing the order of applying these updates can keep from downgrading the pubLauncherSF.exe file.

Workaround:

Perform the upgrade to 4.12.3 last as shown in the following steps:

  1. Install XA 4.12.0.

  2. Install Epic Authentication Plug-in 3.2.

  3. Perform upgrade to XA 4.12.3.

After upgrading to 4.12.3, the AuditServer server name/address does not preserve

Observed:

Sometimes on upgrade, the AuditServer server name/address is not preserved.

Workaround:

It may be necessary for an admin to manually set this after completing the upgrade.

After upgrading the ExactAccess Client from 4.12 or higher to 4.12.3, the biometric plug-in must be reinstalled

Observed:

When the upgrade to 4.12.3 was performed, the biometric prompt would not appear when the user clicked to activate the alternate logon.

Workaround:

Prior to the 4.12.3 upgrade:

  1. Uninstall the biometric plug-in.

  2. Perform the 4.12.3 upgrade.

  3. Install the 2.0.2 version of the biometric plug-in.

Install: Client fails to upgrade cleanly from 4.12.0 to 4.12.2

Observed:

The client fails to upgrade from 4.12.0 to 4.12.2 Client. Also, this same issue occurs when using 4.11.6 version to 4.12.2. After the upgrade the install will cause a repair operation because some files are missing and needed to complete the upgrade.

Workaround:

  • Add the following files:

    • C:\Program Files (x86)\HealthCast\ExactAccess\

    • vcState.exe

    • vcState.exe.sig

After upgrade there should not be a repair operation needed. All the files needed should be updated.

Version 4.12.3 should resolve this issue and a workaround will no longer be needed.

Access denied error for user when Connector XML file does not contain a tag parameterlist when using Pass-through authentication

Observed:

If the ParameterList tag is NOT in Connector's xml file for Connectors that do not require access checking or those that don't utilize username and password parameters - users get access denied error message.

Workaround:

  • Add the following XML tag set to blank

    • <ParameterList></ParameterList>

  • Re-deploy the updated Connector XML to client workstations.

Alternate Workaround:

  • If the connector SERVER XML has been imported, instead of using SnapAPP integration

  • Use the ExactAccess administrator and edit the application.

    • Ensure the Library setting is enabled

    • Enable the Active Directory Passthrough check box if necessary.

    • Press OK after editing - even if no changes needed to been made

Non-HCI files are unsigned in the installation

Observed:

After installing the XA Client, notice the following files are not digitally signed with a certificate:

DLL File

Product Version

Product Owner

Newtonsoft.Json.dll

Json.NET - 9.0.1.19813

Newtonsoft

pcProxAPI.dll

RFIDeas pcProxAPI - 7.2.29.0

RFIDeas

RestSharp.dll

RestSharp - 105.2.3.0

John Sheehan, RestSharp Community

Recomendation:

If Virus scanners detect these as "infected" or otherwise quarantine the files, the product may not function as desired - therefore, it is recommended that virus scanner exclusions be put in place for these specific files.

After upgrading the ExactAccess Client, the HealthCast ProxCard Epic Login Device application must be reinstalled

Observed:

After running the update and rebooting, the device would no longer auto-launch EPIC after tapping in. Checking the Registry Setting for Auto Launch under TFA Settings indicates this is still set to TRUE. However, the application is not launching automatically.

Workaround:

Reinstalling "HealthCast ProxCard Epic Login Device.msi" resolves the issue

Screen saver does not start on the privacy shield desktop

Observed:

When a screen saver is configured with a policy that does not include the path to the screen saver, and/or it uses a file name longer than the FAT/FAT32 8.3 file name length, the screen saver is started on the default desktop, meaning that it does not display on the currently visible privacy shield desktop as expected.

Workaround:

In the user group policy, specify the full path to the configured screen saver. Additionally, it may be necessary to move the screen saver file from the windows system32 directory to another non-file-redirected location (e.g. on x64 systems, c:\windows\system32 is redirected to c:\windows\syswow64 for x32 applications). Simply creating a new folder from the root of the C drive and moving the custom screen saver into this location while specifying the full path to this new location in the group policy allows XA to appropriately locate the screen saver and start it on the privacy shield desktop in the event Windows fails to start it on the active/visible desktop.

Upgrading over previous version of XA prompts failure message

Observed:

When upgrading over a previous version of XA through the install wizard, user is intermittently prompted with the message: "This program may not have installed correctly".

Workaround (Recommended):

Upgrade using either batch file or command line installation methods.

Workaround:

Click "This program installed properly" to continue the installation. The product installs correctly.

Workaround:

Uninstall the previous version and reboot prior to installing this version.

Locking Kiosk mode, unable to tap in on first boot with Windows 8.1 client and KM set for local authentication

Observed:

If the user taps a registered badge after a boot-up of a Windows 8.1 device, the log-in dialog accepts the credentials and attempts to validate them. The user interface is not displayed during this time, and the product appears hung. If the user reboots the device, then manually logs in, the product functions as desired and the user is presented with their Windows desktop. After the first successful local authentication, badge tapping functions as desired.

Workaround (Recommended):Configure the client to use remote authentication. When using remote authentication instead of local authentication, the problem does not occur

Workaround: Manually log into the Kiosk Mode log-in prompt, without using a badge tap of an authenticated card.

When installing XA client in standard mode on a device with the Citrix XenDesktop Virtual Desktop Agent, the XA Credential tile is not activated.

Fix (Recommended):

Add the following registry key values to the Citrix Credential Provider Whitelist to allow the Citrix XenDesktop Virtual Desktop Agent to allow the credential provider to load:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PortICA\CredentialProviderWhitelist\{84859443-655E-4E2F-944A-6617BE547D59}

(default)="HealthCast Proximity Card Credential Provider"

Unable to contact XA server after a client upgrade

The client communication protocol uses the more secure INDY protocol by default (using port 15001) since 4.8 client, enhancing security when connecting to 4.6 or later server versions. If port 15001 has not been enabled in the load balancer, or has not been enabled on the server, connections to the server will fail.

Fix (Recommended):

Ensure the server is configured to allow port 15001 to function.

Add the port 15001 to the load balancer configuration if necessary.

After canceling a change password request in the Credential Provider, the proximity and user list displays do not re-appear

This is a known issue with Windows 7 and above. These operating systems do not provide a notification that a change password tile was canceled.

Workaround: Press ctrl+alt+delete, then press escape to return to the secure attention sequence screen (SAS). The dialogs will re-appear

Workaround: Badge tapping functions even if the dialogs are not displayed. Tap a badge to being the log-in process.

XAAutoUpdateInit.exe prompts for UAC elevation on Windows 8.1

XAautoUpdateInit requires write permissions to the program files/program files (x86) directories which is now automatically UAC enabled in Windows 8.1 and above. There is no known workaround.

AutoUpdate is no longer supported in the XA Client. Use HCI Deploy or other deployment tools to distribute Connector updates.

Proxcard client indicates unable to contact server

Observed: After installing and attempting to use the proximity card to tap into a workstation, an error message is displayed indicating the server could not be contacted. The server address can be resolved from the client. Telnet functions to connect to the server indicating that no firewalls are blocking communications.

This condition indicates that a code page may not be installed. Verify that code page 20127 (US-ASCII) is installed on the client device.

Affects Versions: All versions. Most prevalent on HP or other thin client devices running Windows XPe or 2009 embedded. Some Windows 7 embedded systems are affected.

Passthrough mode shell replacement, Explorer shell may not start the desktop when logging in as an administrator

Observed: When logging into Windows as an administrative user, the default shell (explorer) is started and the standard desktop is supposed to be displayed. However, instead of the Windows desktop, only a explorer file browser is launched with no desktop. UAC may prevent replacing the appropriate registry keys for the shell because the administrative user is forced to be recognized as a normal user which denies write access to the shell key.

Workaround: Modify the permissions on the following registry key:

HKLM\Software\Microsoft\Windows NT\current version\Winlogon

Add the specific administrator account(s) to the key and set full access. Group membership does not always apply appropriate permissions to contained accounts due to UAC.

Windows 10 requires a new procedure to function properly.

Incorrect name parsing is performed or the name shown does not contain the actual users name.

The display name field from the directory service is used when the server is configured for the WinNT provider and that field may not contain the users actual first and last name. To use the actual users first and last name fields, the LDAP provider must be configured and used on the server (requires XA Server 4.7 or above), or the Display Name field must be corrected in active directory to contain the users first, middle, and last names appropriately.

Additionally, the LDAP setting to use sn and givenName must be enabled to use the first name and last name fields of active directory.

ExactAccess Screen Saver is only supported in Kiosk Mode.

The ExactAccess screen saver is designed for single session Kiosk Mode, and will only display a single active user on a system. On Windows 7+, it is possible to have multiple active sessions on the workstation, but only a single user will be displayed on the ExactAccess screen saver. This will not always correspond to the last active user, nor will it always be the first user to log into the system. The user displayed may be selected randomly.

Enrollment prompt is set to the foreground but intermittently does not have keyboard focus.

This issue is only seen if you disconnect when an enrollment prompt is displayed.

Unable to Access the Windows Desktop when Kiosk Mode Lock is enabled and network outages prevent authentication
  • Incorrect configuration or loss of connectivity to a domain controller may result in the Windows desktop of a Kiosk Mode client with the Privacy Screen enabled being unavailable.

    This issue has been addressed by allowing an administrative user to perform a LOCAL login by specifying a LOCAL user on the workstation. This is accomplished by entering a user name in the form of .\<username> or <machine-name>\<username>

    Users may now authenticate with the Remote Authentication server by specifying the domain as part of the user name. A LOCAL login will occur if either a . or the local machine name is specified as the domain, even if Remote Authentication is enabled.

    Additionally, with 4.10, new break the glass scenarios can be configured such that the user may authenticate with an active session, or login with local authentication automatically. For help with this configuration, contact your HealthCast Project Manager.

    Note

    ProxCards will not be enrolled when using a local domain name in either format.

Password Reset Link on authentication dialog is not drawn with a transparent background.
  • Microsoft Windows disables some transparency effects when the system is configured using the Windows Classic theme rather than the Windows XP theme. To resolve the issue, switch the system to use the Windows XP Theme. On Windows 7+, this also occurs if Aero Glass is disabled.

    This issue applies to Kiosk Mode only.

Watch for logoff End Task Dialog and logoff COM warnings

(XA Client 4.5.234 and above - most prevalent in RSM)

If the WatchForLogoff.exe process is terminated before the session is logged off, a COM Server warning will be displayed.

This is by design. The purpose of WatchForLogoff is to prevent Windows from completing the Logoff or Shutdown procedure before ExactAccess has performed a Graceful Logoff of all running SSO-enabled applications.

The situation where Windows will display the non-responsive application dialog is also exacerbated when the system is excessively taxed in either RAM or CPU usage. Windows will only grant an application five seconds to respond to a close notification before displaying the end task dialog. Swapping memory to disk (excessive RAM usage) can cause many applications to react beyond this time limit. Prematurely terminating this task will cause Graceful Logoff to fail.

Workaround: Do not click on the END TASK button when Windows displays the message indicating the process is not responding to the logoff or shutdown request. This will allow the Graceful Logoff to complete prior to shutdown or logoff. It will also prevent the COM Server warnings from appearing when ExactAccess Logoff is interrupted by a Windows logoff or shutdown event.

Another possible solution is to ensure that there are adequate system resources available for each user session so that disk swapping does not occur for the active users applications. It may also be necessary to reduce the number of user sessions allowed on a Citrix / Terminal Server to ensure adequate performance for each user session.

An alternate solution is to use the ExactAccess Logoff button to perform the logoff of a Windows session.