Smartcard authentication failure (including error 400_645)

When trying to log in you see a 'Smartcard Authentication Failure' error.

You can see an example of this error below. It might start with the number 400_ or 500_

This can happen because:

• NHS Credential Management is not running or is out of date
• you've recently installed or updated NHS Credential Management but have not rebooted the device
• NHS Identity Agent is not running or is out of date
• the smartcard is not in the reader
• your smartcard is blank or faulty
• you do not have any roles on your smartcard
• your browser is not supported
• you've cancelled login, or lost your network connection just before login completed
• you are using the NHS Chrome extension

If you are using an Imprivata or Isosec smartcard

These smartcards are not supported by NHS England. You should contact your local smartcard support team for help.

Check the smartcard is in the reader

Make sure the smartcard is facing the right direction in the reader, and that the reader is not damaged, and try again. If it still does not work, try in a colleague's machine if possible.

Check your smartcard is active

You will have to contact your Registration Authority. They can check your profile has an active smartcard with the right roles applied. If you can log in with NHS Identity Agent successfully, but do not see the role selection screen, it's likely you do not have any roles on your profile, and therefore cannot access any service at all.

Check your workstation setup

Use the setup checker tool to get a snapshot of common problems.

For anything else

Smartcard problems are almost always traced back to incorrect software or device setup, and you will need to contact your local IT support. Depending on your organisation, this may be through your IT helpdesk, or via a dedicated Registration Authority team.

As each organisation is set up differently, we cannot provide contact details that work for everyone. Check your intranet for links to an IT helpdesk, Registration Authority or smartcard team. 

Step 1

Ensure the user has gone through all the checks in the section above.

If they are using Imprivata or Isosec smartcards, you should contact Imprivata or Isosec directly, as NHS England do not support these.

Step 2

Check that the latest version of NHS Identity Agent is installed and running.

Step 3

Check that the latest version of NHS Credential Management is installed and running. This is required for all smartcard management activities, and should now be installed on all devices that use the Care Identity Service to authenticate.

After installing or updating NHS Credential Management you must reboot the device to make sure it is running correctly.

Error 400_645 is specifically related to NHS Credential Management not being installed or working properly. This is more likely to occur if the Chrome extension has recently been removed. Check the user has run the setup checker tool.

Step 4

Google no longer supports some features in Chrome and we have had to retire the NHS Chrome extension, as of 31 May 2024. It is no longer supported. If it is running - even on a supported browser - it will allow the user to access the service but they will not be able manage smartcards, including unlocking, issuing or printing smartcards and renewing certificates.

Please install the latest version of NHS Credential Management.

Error 400_647 is specifically associated with the Chrome extension.

Step 5

Download the CIS Diagnostic Tool and generate a diagnostic log for the workstation.

The CIS Diagnostic Tool should be the first resort for all Care Identity Service troubleshooting on a user's machine, where the cause is unclear. The vast majority of reported problems can be diagnosed and fixed using this. You will need local machine admin access to run the tool and complete any fixes that it highlights.

Download the CIS Diagnostic Tool (needs HSCN connection) and follow the instructions for detailed troubleshooting.

Step 6

If you have been through all the steps above but still cannot progress, you should raise a case to the National Service Desk on the NHS Digital Customer Portal or email [email protected]

To get the best service, follow these instructions when writing your support request:

Short description Error: Smartcard authentication failure

Long description

I am a member of the IT team for my organisation.

A user is trying to [action they are trying to do e.g. print smartcard]

They get the following error:

Error : Smartcard authentication failure [add error number e.g. 400_640]

• I have followed the troubleshooting steps as described here: https://digital.nhs.uk/services/care-identity-service/setting-up-and-troubleshooting/common-issues/smartcard-authentication-failure

• I attach a copy of the diagnostic log for the workstation(s)

• I confirm that the workstation conforms to the Warrantied Environment Specification

• This affects X number of users

• The Error Response ID is [add ID - only include this if the Error Response ID is shown on the error page]

Troubleshooting guidance

IT teams should read our troubleshooting guidance. It is regularly updated as new issues are found and solved, and new software is made available.

Latest news

For information about the Care Identity Service, new software, communications and support, see our news page.