Troubleshooting NHS Credential Management

NHS Credential Management automatically removes any previously installed versions before installing a new one. Attempting to run multiple versions simultaneously will result in an error stating that the application is already running.

If you have multiple versions of NHS Credential Management installed, remove all installations. Once all existing installations have been removed, you can then install the correct version. 

Should you encounter an issue installing NHS Credential Management due to remnants of a previous installation, please search for any registry values or locations under the following locations: 

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall 

• HKEY_CLASSES_ROOT\Installer\Products 

You can also check that the folder and structure has been removed from: 

• C:\Program Files (x86)\*NHS Digital*

When installing NHS Credential Management, you may encounter the following error: 

.NET Framework 4.8 Missing

This error occurs because the required .NET Framework 4.8 is not installed on your machine. 

To resolve this, download and install .NET Framework 4.8 from the official Microsoft website then try running the NHS Credential Management installer again.

When a user attempts to access Spine or any application, they may see the following error: 

Error code: 400_645 

This error code appears for one of the following reasons: 

• NHS Port Service is not running

• NHS Credential Management is not running

• problems with communication between your browser and NHS Credential Management

Read more about how to fix error code 400_645.

If you're having issues with NHS Credential Management requiring authentication on localhost, you can resolve it by properly configuring your browser settings and the registry.

To address these authentication challenges:

1. Configure your Microsoft Edge settings
2. Configure your registry settings
3. Test and confirm that the NTLM popup box no longer appears and that NHS Credential Management works as expected

Configure your Microsoft Edge settings

1. In Microsoft Edge:
   • open Settings and navigate to Cookies and site permissions > Manage and delete cookies and site data
   • Under the Allow section:
     • http://localhost as an allowed site
     • make sure the box for Include third-party cookies on this site is ticked

2. In Control Panel

   • Navigate to Internet Options.
   • Add http://localhost to the Trusted Sites or Local Intranet Sites list. 

Configure your registry settings

1. Open the Windows Registry Editor (regedit) and navigate to: 

   HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge 

   or

   HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Edge 
    

2. Add a new string value: 

   • Value Name: AuthServerAllowList 

   • Value Type: REG_SZ (String Value) 

   • Value Data: http://localhost 

Test and confirm

You should now check that the NTLM popup box no longer appears and that NHS Credential Management works as expected.

Why this issue occurs 

The authentication problem arises due to how Microsoft Edge and Internet Explorer handle Integrated Windows Authentication (IWA).

By design behaviour: 

• Internet Explorer and Edge prefer the NEGOTIATE protocol over NTLM for IWA

• if a Fully Qualified Domain Name (FQDN) or IP address contains periods (like localhost resolving to 127.0.0.1), the browser may classify it as part of the Internet Zone instead of the Local Intranet Zone, causing authentication issues

Other browsers like Chrome, Firefox and Safari usually default to NTLM, which avoids this issue and allows authentication to work. 

When deploying Oberthur middleware using a software deployment tool such as SCCM, Ivanti or Intune, the software is installed by the local system account instead of a user account. This means a specific registry key is not created during the process, which can cause an error.

What happens 

If the registry key is missing, you'll encounter the error ERR1000 when performing self-service operations with a series 8 smartcard. This includes self-service smartcard unlock and smartcard certificate self-renewal.

How to fix the ERR1000 error

1. Navigate to the following location in the registry:

• HKEY_CURRENT_USER\SOFTWARE\Oberthur Technologies\Minidriver\PIVMinidriver 

2. Look for the following registry key: 

• Name: EnableNHSEnrollment 

• Type: REG_DWORD 

• Value: 0 

3. If the key is missing, contact your IT team to create the key manually. Alternatively your IT team can publish it using Group Policy. 

Why this registry key matters

The EnableNHSEnrollment key is critical for switching between the Agile applet (default setting) and the Compatibility applet. While you do not need to use the Compatibility applet for authentication, the key ensures proper functioning after installing Oberthur middleware.