Set up and troubleshoot Credential Management and Smartcard Connect

To ensure Windows is configured correctly, follow these steps: 

1. Open Control Panel and navigate to: 

   • Internet Options > Security > Local Intranet > Sites 

(You can also search for "Internet Options" in the Start menu to access this setting.) 

2. In the Internet Properties window, select the Local intranet tab, then click on the Sites button. 

   • Internet Properties - Local Intranet: 

     • Ensure the following settings in the Local intranet dialog: 

       • Automatically detect intranet network: Unticked 

       • The following options should be checked: 

         • Include all local (intranet) sites not listed in other zones 

         • Include all sites that bypass the proxy server 

         • Include all network paths (UNCs) 

If these settings match the above configuration, no further changes are required for NHS Credential Management to function properly. 

Group policy settings

Certain group policy settings in Chrome and Edge can block NHS Credential Management from working as expected. If this happens, you will see the following generic error:

NHS Credential Management Error: Not Installed or Running 

While there are other possible reasons for this error, if NHS Credential Management and the NHS Port Service are running and functionality works in one browser (such as Edge) but not in another (such as Chrome), it's worth examining the group policy settings. 

Note: changes to group policy settings must be made by your local IT team.

Incorrect cookie settings in Chrome and Edge can also block NHS Credential Management. To function correctly, the browser must allow cookies for localhost.

Chromium based browsers are adding a new permission prompt for sites that make connections to a user's local network as part of the Local Network Access specification. Due to how the authentication service and Spine applications interact with Credential Management, Trusts will need to add these URLs with one of the following methods.

Pre-grant via enterprise policy

Admins can configure Chrome and Edge to automatically allow specific origins to access local network resources without prompting the user. This is done using the enterprise policy.

User prompt: manual approval

When a site tries to access a local network resource:

• Chrome and Edge will show a permission prompt: “Allow this site to access devices on your local network?”
• The user must click Allow to proceed
• Once granted, Chrome and Edge will remember the choice per origin and device

Note: If a user clicks Block, they can revisit the decision for the selected site via:

• Chrome - Settings > Privacy and Security > Site Settings > Permissions

Under here you can Reset Permissions or set Local Network Access to Allow

• Edge - Settings > Privacy, search, and services > Site permissions > All sites

Under here you can set Sites can ask to connect to any device on your local network to Allow

If you are using Smartcard Connect you will also need to change these registry settings.

NHS Credential Management automatically removes any previously installed versions before installing a new one. Attempting to run multiple versions simultaneously will result in an error stating that the application is already running.

If you have multiple versions of NHS Credential Management installed, remove all installations. Once all existing installations have been removed, you can then install the correct version. 

Should you encounter an issue installing NHS Credential Management due to remnants of a previous installation, please search for any registry values or locations under the following locations: 

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall 

• HKEY_CLASSES_ROOT\Installer\Products 

You can also check that the folder and structure has been removed from: 

• C:\Program Files (x86)\*NHS Digital*

When installing NHS Credential Management, you may encounter the following error: 

.NET Framework 4.8 Missing

This error occurs because the required .NET Framework 4.8 is not installed on your machine. 

To resolve this, download and install .NET Framework 4.8 from the official Microsoft website then try running the NHS Credential Management installer again.

When a user attempts to access Spine or any application, they may see the following error: 

Error code: 400_645 

This error code appears for one of the following reasons: 

• NHS Port Service is not running

• NHS Credential Management is not running

• problems with communication between your browser and NHS Credential Management

Read more about how to fix error code 400_645.

If you're having issues with NHS Credential Management requiring authentication on localhost, you can resolve it by properly configuring your browser settings and the registry.

Configure browser settings

Open the relevant browser settings:

• in Edge, go to Settings > Cookies and site permissions > Cookies and site data
• in Chrome, go to Settings > Privacy and security > Third-party cookies > Sites allowed to use third-party cookies

Under the Allow section:

• add http://localhost as an allowed site
• make sure the box for Include third-party cookies on this site is checked

Restart the browser for the settings to take effect.

Configure registry settings

If you're managing browser policies using Group Policy or registry settings, you can enable localhost as an authorized authentication server by modifying the registry.

Open the Windows Registry Editor (regedit) and navigate to:

• Edge
  • Registry Hive - HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
  • Registry Path - SOFTWARE\Policies\Microsoft\Edge
• Chrome
  • Registry Hive - HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
  • Registry Path - SOFTWARE\Policies\Google\Chrome

Add a new string value:

• Value Name: AuthServerAllowlist
• Value Type: REG_SZ (String Value)
• Value Data: http://localhost

Restart the browser for the settings to take effect.

Test and confirm

You should now check that the NTLM popup box no longer appears and that NHS Credential Management works as expected.

Why this issue occurs

Modern browsers (Edge, Chrome, IE mode) prefer the NEGOTIATE protocol for Integrated Windows Authentication. When a hostname contains dots (e.g. localhost resolving to 127.0.0.1), Windows classifies it as an Internet Zone site. This prevents automatic NTLM/Kerberos authentication and causes credential prompts.

Chrome previously defaulted to NTLM, which avoided this issue. Chrome now aligns with Edge/IE and requires explicit allowlisting.

When deploying Oberthur middleware using a software deployment tool such as SCCM, Ivanti or Intune, the software is installed by the local system account instead of a user account. This means a specific registry key is not created during the process, which can cause an error.

What happens 

If the registry key is missing, you'll encounter the error ERR1000 when performing self-service operations with a series 8 smartcard. This includes self-service smartcard unlock and smartcard certificate self-renewal.

How to fix the ERR1000 error

1. Navigate to the following location in the registry:

• HKEY_CURRENT_USER\SOFTWARE\Oberthur Technologies\Minidriver\PIVMinidriver 

2. Look for the following registry key: 

• Name: EnableNHSEnrollment 

• Type: REG_DWORD 

• Value: 0 

3. If the key is missing, contact your IT team to create the key manually. Alternatively your IT team can publish it using group policy. 

Why this registry key matters

The EnableNHSEnrollment key is critical for switching between the Agile applet (default setting) and the Compatibility applet. While you do not need to use the Compatibility applet for authentication, the key ensures proper functioning after installing Oberthur middleware.