SafeNet Authentication Client 10.

8 R8
(GA)
WINDOWS RELEASE NOTES

Issue Date: October 2022

Build: 2204
Document Part Number: 007-013559-009 Rev. B

Contents
Product Description 3
Release Description 3
New Features and Enhancements 3
Advisory Notes 3
Licensing 4
Localization 4
SafeNet Authentication Client Certification 5
Default Password 5
Password Recommendations 5
Initialization Key Recommendations 6
Compatibility Information 6
Operating Systems 6
Hardware and Screen Resolution Requirements 6
Tokens 6
Certificate-based USB Tokens 7
Software Tokens 7
Smart Cards 7
Smart Cards and Tokens that Support Common Criteria 8
Smart Card Readers supported in Contact and Contactless modes 8
Smart Card Readers 8
Secure PIN Pad Readers: 9
Device Features Supported by SAC 9
Compatibility with Third-Party Applications 10
Compatibility with Thales Applications 12
Installation and Upgrade Information 12
Installation 12

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 1
 Upgrade 12
Uninstall 12
Resolved and Known Issues 14
Resolved Issues 14
Known Issues 15
Known Limitations 22
Product Documentation 24
Support Contacts 25

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 2
 Product Description

Product Description
SafeNet Authentication Client (SAC) is public key infrastructure (PKI) middleware that provides a secure method
for exchanging information based on public key cryptography, enabling trusted third-party verification of user
identities. It utilizes a system of digital certificates, certificate authorities, and other registration authorities that
verify and authenticate the validity of each party involved in an Internet transaction.

Release Description
SafeNet Authentication Client 10.8 R8 (GA) includes enhancements and bug fixes from previous SAC versions.

New Features and Enhancements

This release offers the following:
> Added support for the SIS (Swedish Institute for Standards) profile cards.
For details, refer to "Smart Cards" on page 7.
> Added new profile for PKCS#11 in the SAC Customization Tool.
For details, refer to the Customization chapter in SafeNet Authentication Client Administrator Guide.
> Optimizations done to the SafeNet Minidriver profile of the SAC Customization Tool to match the offerings
available in the Microsoft catalog on internet.
For more information, refer to "Resolved Issues" on page 14
> Modification related to SIS (Swedish Institute for Standards) cards is made in the existing profiles (SAC
Typical and SafeNet Minidriver) of the SAC Customization tool.
> Modification done to the serial number display of the customized IDPrime 930 cards.
> Modification done to make the Touch Sense capability configurable for the supported tokens.
For details, refer to SafeNet Authentication Client Administrator Guide.
> Improved performance for some specific use cases associated with RDP and Citrix.

Advisory Notes
Before deploying this release, note the following high-level requirements and limitations:
> SafeNet IDPrime 930/3930:
• SafeNet IDPrime 930 has different profiles. A non-managed profile has no Administrator PIN and
therefore, cannot be used in Managed environments (CMS).
• After deleting a key from a SafeNet IDPrime 930/3930 device, the available memory size may be reduced.
For more information, refer to IDPrime 930/3930 Card Configuration Guide.
> eToken 5110 FIPS:
• Supported on OpenTrust versions 4.9.2 or 5.6

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 3
 Product Description

• Due to an eToken applet limitation, the User PIN Retry counter cannot be set on SafeNet eToken 5110
FIPS or SafeNet eToken 5110, unless they are initialized.
> SafeNet eToken 5300:
• To retrieve touch sense capabilities using the SafeNet Minidriver API, refer to the CCP_TS_CONTAINER
and CP_CARD_TS_FEATURE properties in the SafeNet Authentication Client Developer Guide.
• In the event of a time out (due to the SafeNet eToken 5300 not being touched in time), the following
specific API error messages are shown:
– PKCS11 - CKR_FUNCTION_CANCELED(0x00000050)
– SafeNet Minidriver - SCARD_E_CANCELLED (0x80100002)
These error messages replace the previous Generic error message.
> SAC 10.8 R8 (GA) does not support RSA 1024 key size signing with SHA-1. If you need it, use the
Disable-Crypto setting mentioned in SafeNet Authentication Client Administrator Guide.

Licensing
From SAC 10.8 R2 release onward, no license is required for SAC on Windows.

Localization
This release support the following languages:
> Chinese (Simplified)
> Chinese (Traditional)
> Czech
> English
> French (Canadian)
> French (European)
> German
> Slovakian (new)
> Hungarian
> Italian
> Japanese
> Korean
> Lithuanian
> Polish
> Portuguese (Brazilian)
> Serbian (new)
> Romanian
> Russian

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 4
 Product Description

> Spanish
> Thai
> Vietnamese
> Turkish
> Slovenian (new)
> Croatian (new)

NOTE
- The user PIN and Admin PIN can be in English only, while using IDPrime MD, .Net cards,
eToken 5300, and eToken 5110 CC.
- IDPrime features are available only in English localization, such as Initializing Common
Criteria devices and PIN Pad functionality.

SafeNet Authentication Client Certification

SafeNet Authentication Client (SAC) 10.8 R8 (GA) has the following certifications:
> Citrix Ready: https://citrixready.citrix.com/thales-e-security/safenet-authentication-client.html
> SAC 10.8 R8 (GA) is compliant with Microsoft LSA (Local Security Authority) and Microsoft Credential Guard.

NOTE If you encountered an issue with LSA or Credential Guard, try configuring them in Audit
mode, to assess which process or service has been blocked.
For more information, refer to the "Using SafeNet Authentication Client with Windows Defender
Credential Guard" Chapter in SafeNet Authentication Client Compatibility Guide.

Default Password
SafeNet eToken devices are supplied with the following default token password: 1234567890.
IDPrime cards are supplied with the following default token password: “0000” (4 zeros). The Administrator
Password must be entered using 48 zeros in hexadecimal (24 zeros in binary).
For IDPrime MD 940/3940/840/3840/eToken 5110 CC devices:
> The default Digital Signature PIN is “000000” (6 zeros)
> The default Digital Signature PUK is “000000” (6 zeros)

Password Recommendations
We strongly recommend changing all device passwords upon receipt of a token/ smart card as follows:
> User PIN should include at least 8 characters of different types.
> Admin PIN should include at least 16 characters of different types.
> The Friendly Admin Password should include at least 16 characters of different types. For more details on
the Friendly Admin Password, refer to SafeNet Authentication Client User Guide.
> Digital Signature PUK, when using a friendly name, include at least 16 characters of different types.

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 5
 Product Description

> For devices running the IDPrime applet, the 3DES random key may be used instead of the administrator
password. As per 3DES algorithm for 24 zeros in binary or 48 zeros in hexadecimal values (entered as Admin
PIN) every LSB bit is ignored, which means if user enters any random number as the LSB, it will be ignored
and more number of Admin PIN are possible.

NOTE It is recommended to not use 24 zeros in binary or 48 zeros in hexadecimal values for
Admin PIN.

> Use the password validity period combined with password history options.

NOTE Character types include upper case, lower case, numbers, and special characters.
For more information, refer to the ‘Security Recommendations’ Chapter in SafeNet
Authentication Client Administrator Guide.

Initialization Key Recommendations

Thales strongly recommends changing the Initialization Key using the SAC Initialization process.
For more details on Initialization Key settings, refer to SafeNet Authentication Client User Guide.

Compatibility Information

Operating Systems
Following operating systems are supported:
> Windows Server 2022 (64-bit)
> Windows Server 2019 (64-bit)
> Windows Server 2016 (64-bit)
> Windows Server 2012 and 2012 R2 (64-bit)
> Windows 11 up to 22H2
> Windows 10 (32-bit, 64-bit) up to 21H2
> Windows 8.1 (32-bit, 64-bit)

Hardware and Screen Resolution Requirements

Following hardware are required:
> USB port, for physical token devices
> Recommended display resolution (for SafeNet Authentication Client Tools) 1024 x 768 pixels and higher

Tokens
Following tokens are supported:

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 6
 Product Description

Certificate-based USB Tokens

> SafeNet eToken 5300
> SafeNet eToken 5110
> SafeNet eToken 5110 CC
> SafeNet eToken 5110 FIPS
> SafeNet eToken 5300 C

Software Tokens
> SafeNet IDPrime Virtual Smart Card

Smart Cards
> SafeNet IDPrime 3930 FIDO
> SafeNet IDPrime eToken 5110+ FIPS
> SafeNet IDPrime SIS 840
> SafeNet IDPrime 940 SIS
> SafeNet IDPrime 930nc
> SafeNet IDPrime MD 830nc
> SafeNet IDPrime 940B
> SafeNet IDPrime 3940 FIDO
> SafeNet IDPrime 930
> SafeNet IDPrime 3930
> SafeNet IDPrime 940
> SafeNet IDPrime 3940
> SafeNet IDClassic 410

NOTE SafeNet IDPrime 3940 and 3930 type B smart cards can be used in contactless mode
using the readers in Smart Card Readers supported in Contact and Contactless modes.

> Gemalto IDCore 30B eToken

> Gemalto IDPrime MD 840 (EOS)
> Gemalto IDPrime MD 840 B
> Gemalto IDPrime MD 3840 (EOS)
> Gemalto IDPrime MD 3840 B
> Gemalto IDPrime MD 830-FIPS
> Gemalto IDPrime MD 830-ICP
> Gemalto IDPrime MD 830 B
> Gemalto IDPrime MD 3810 (EOS)

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 7
 Product Description

> Gemalto IDPrime MD 3811

> Gemalto IDPrime MD 8840 (8GB) Micro SD card (EOS)
> Gemalto IDPrime .NET (only SAC PKCS#11 and SafeNet Minidriver interfaces)
> Optelio R7

NOTE Although the majority of contactless cards mentioned in this release notes are
compliant with ISO 14443, it is recommended to test these cards on all customer laptop models
before placing an order.
For more information on IDPrime MD Smart Cards, refer to IDPrime MD Configuration Guide.

Smart Cards and Tokens that Support Common Criteria

> SafeNet IDPrime 940 B
> SafeNet IDPrime 940
> SafeNet IDPrime 3940
> Gemalto IDPrime MD 840
> Gemalto IDPrime MD 840 B
> Gemalto IDPrime MD 3840
> Gemalto IDPrime MD 3840 B
> Gemalto IDPrime MD 8840 Micro SD Card
> SafeNet eToken 5110 CC

Smart Card Readers supported in Contact and Contactless modes

> CL3000 Prox-du (EOL)
> ACR128U (EOL)
> OMNIKEY Cardman 5422
> OMNIKEY 5022 (Contactless only)

NOTE It is recommended to use Vendor drivers for the above SC Readers.

Smart Card Readers

> Gemalto IDBridge K30
> Gemalto IDBridge K50
> Gemalto IDBridge CT30
> Gemalto IDBridge CT40
> ACR128U (EOL)
> OMNIKEY 5422
> OMNIKEY 3121
> IDBridge CL3000 (EOS)

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 8
 Product Description

Secure PIN Pad Readers:

> Gemalto IDBridge CT700

NOTE Except for SafeNet IDClassic 410 and SafeNet IDPrime SIS 840 cards, the PIN Pad
readers are supported on all IDPrime and .NET cards.

Device Features Supported by SAC

Below table specifies the various features that are supported by SAC:

Features: Device:

Gemalto IDPrime SafeNet Gemalto IDPrime MD 830- SafeNet SafeNet

MD IDPrime FIPS/830- IDPrime eToken
840/3840/3840B/ 940 ICP/830B/3810/3810 930/3930 5110-FIPS
8840/SafeNet MIFARE 1K/3811/SafeNet
eToken 5110 CC eToken 5300

Number of 14 – default 20 – default 15 32 Dynamic

key Note 1 Note 1 Note 5
containers

RSA Key 2048-bit - default 2048-bit - 2048-bit 2048-bit 2048-bit

sizes 3072-bit default 3072-bit Note 3
4096-bit 3072-bit Note 3 4096-bit
4096-bit - Note 3
default
Note 2 & 7
Note 2

RSA Padding PKCS#1 v1.5, PSS, PKCS#1 PKCS#1 v1.5, PSS, OAEP PKCS#1 RAW,
OAEP v1.5, PSS, v1.5, PSS, PKCS#1
OAEP OAEP v1.5, PSS,
OAEP
Note 4
Note 3 & 6

ECC Key 256-bit - default 256-bit - 256-bit 256-bit 256-bit

sizes 384-bit default 384-bit 384-bit 384-bit
521-bit 384-bit 521-bit 521-bit
521-bit
Note 2
Note 2

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 9
 Product Description

Features: Device:

Hash SHA-1 160-bit SHA-1 160- SHA-1 160-bit SHA-1 160- SHA-1 160-
SHA-2 256-bit, 384- bit SHA-2 256-bit, 384-bit, 512-bit bit bit
bit, 512-bit SHA-2 256- SHA-2 256- SHA-2 256-
bit, 384-bit, Note 3 bit, 384-bit, bit, 384-bit,
512-bit 512-bit 512-bit

Note 3 Note 3

Activation N/A Available N/A Available N/A

PIN

Re-init N/A N/A N/A Available Available

feature

SKI N/A N/A Available Available N/A

Non- N/A N/A N/A Available Available

managed
profile

NOTE
1. The default number of containers and default container capabilities can be customized
during the PERSO process.
2. The supported key sizes depend on the PERSO container customizations.
3. SHA-1 (160-bit) and RSA 1024-bit are not allowed in FIPS L3 cards.
4. PKCS#1 padding does not allow decrypt on IDPrime 930\3930 FIPS L3 cards.
5. Keys can be created as long as free memory is available.
6. Raw RSA is not available on FIPS devices.
7. RSA 3072 and 4096-bit only key import available (no OBKG).

NOTE
- Cards (such as IDPrime 930 FIPS L3) that are based on FIPS L3 version 2018 onward, do not
allow signing of data using NO_HASH algorithm.

- For IDPrime 930 FIPS L3 cards, the input of CKM_RSA_PKCS mechanism is in the form of
OID+DIGEST.
Where: OID includes one of the following hash functions- SHA256/ SHA384/ SHA512 and
DIGEST is the hash value of the hash function indicated by the OID

Compatibility with Third-Party Applications

Following third-party applications are supported:

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 10
 Product Description

Solution Type Vendor Product Version

Remote Access VPN Check Point Endpoint Security E80.70

Microsoft Windows Server 2008 SP2 and later

Cisco NAM

AnyConnect Windows 4.7.00136

Palo Alto PA-200 GW Appliance

Juniper Juniper MAG 2600 GW Appliance

Virtual Desktop Infrastructure Citrix Virtual Apps and Desktops 7.2206

(VDI) (Formerly XenDesktop)

Microsoft Remote Desktop

VMware View Horizon 7.8

Identity Access Management IBM ISAM for Web 9.0 (eToken only)
(IAM)
Identity Management (IDM) Intercede MyID 11.3

Microsoft MIM 2016 4.5.286.0 (Supported with SAC Minidriver profile)

vSEC:CMS vSEC:CMS 5.8

(Supported with SAC Minidriver profile)

IDnomic OpenTrust CMS 5.2

NOTE For eToken 5110 FIPS support, refer to

"Advisory Notes" on page 3.

Pre Boot Authentication Sophos SafeGuard Easy (eToken only)

(PBA)
Microsoft BitLocker (RSA only)

Certificate Authority (CA) Entrust ESP 10

Microsoft For All Windows platforms

(Local CA)

Single-Sign-On (SSO) Evidian ESSO (eToken only)

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 11
 Product Description

Solution Type Vendor Product Version

Digital Signatures Entrust ESP 10

Adobe Acrobat Pro 22.003.20258

DC

Microsoft Outlook 2016 / Office 365

Mozilla Thunderbird 78.14 and 91.1.2

Browsers Mozilla Firefox 105.0.3 (TLS 1.3 supported)

Microsoft Edge (Chromium) 106.0.1370.42 (TLS 1.3 supported)

Google Chrome 106.0.5249.119 (TLS 1.3 supported)

Compatibility with Thales Applications

IDPrime cards can be used with the following products:
> SafeNet Authentication Service (SAS) / SafeNet Trusted Access (STA)
> IDPrime User Tool for Windows (V1.2.0)
To work with these products, install SafeNet Minidriver profile by generating an .msi file using the SAC
Customization Tool.
To generate an MSI installation file, refer to SafeNet Authentication Client Administrator Guide.

Installation and Upgrade Information

NOTE Local administrator rights are required to install, uninstall, and upgrade SAC.

Installation
SAC must be installed on each computer on which IDPrime MD cards, as well as SafeNet Tokens or Smart Cards
are to be used.

Upgrade
For earlier versions of SAC, it is recommended that an upgrade is performed to the latest version on each
computer that uses a Token or Smart Card.

Uninstall
Once SAC is installed, it can be uninstalled. After uninstallation, the user configuration and policy files may be
deleted.

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 12
 Product Description

NOTE You must restart your computer when the uninstall procedure completes.

For more installation, uninstallation, and upgrade details, refer to SafeNet Authentication Client Administrator
Guide.

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 13
 Resolved and Known Issues

Resolved and Known Issues

This section lists the issues that have been resolved and known to exist in this release. The following table
defines the severity of the issues listed in this section.

Priority Classification Definition

C Critical No reasonable workaround exists.

H High Reasonable workaround exists.

M Medium Medium level priority problems.

L Low Lowest level priority problems.

Resolved Issues
Issue Severity Synopsis

ASAC- 14609 H Error while issuing the certificates for IDPV Virtual cards.

(Customer ID: CS1127070, CS1310015)

ASAC- 14718 H SAC Tools is not displaying cards status and certificates properly after
refresh.

(Customer ID: CS1119389)

ASAC- 14694 H SAC Tools is displaying the token category as Hardware Token for IDPV
smart cards.

(Customer ID: CS1309811)

ASAC- 13821 H Old certificates are not getting cleared when formatting IDPrime 930 cards on
SAC 10.8 R6 (with SafeNet Minidriver profile) for Windows 10.

(Customer ID: CS1087267)

ASAC- 12744 M When SAC 10.5 is used as a RemoteApp and a token is unlocked using the
"Challenge Response" method, there is a piece of the window that does not
display until you hover over the area of the screen with the mouse cursor.

(Customer ID: CS0989983)

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 14
 Resolved and Known Issues

Issue Severity Synopsis

ASAC- 14208 M Failure of C_UnwrapKey while unwrapping 2nd RSA-4096 decryption private
key.

(Customer ID: CS1106360)

Known Issues
Issue Severity Synopsis

ASAC- L Summary: No touch sense pop-up is displayed while performing Outlook's cryptographic
14895 operation.
Workaround: Touch the token to complete the cryptographic operation being performed.

ASAC- L Summary: Mozilla Thunderbird stops working if a smart card is swapped while performing
14425 the send email operation.
Workaround: Relaunch Thunderbird and perform the operation with a valid smart card.

ASAC- L Summary: Few DLLs (EtokenMD.dll, SafenetMD.dll and axaltocm.dll) remain in the system
13770 after uninstallation of SYSWOW64 folder in P11+MD msi on 64-bit OS for both fresh install
and upgrade.
Workaround: Manually delete the DLLs.

ASAC- L Summary: Free space is not updating in SAC Tools for SafeNet IDPrime SIS 840 and
15216 SafeNet IDClassic 410 smart cards.
Workaround: None

ASAC- M Summary: DLL (SACUI.cs-Cz.dll) missing when upgrading SAC Typical from 10.2 to
13750 10.8 R6.
Workaround: Firstly, upgrade SAC Typical from 10.2 to 10.8 R5. Thereafter, upgrade SAC
Typical from 10.8 R5 to 10.8 R6.

ASAC- M Summary: Changing the Initialization Key to a non-compliant value causes the Initialization
11167 process to fail on a non-managed IDPrime 930 device.
Workaround: Ensure the Initialization Key that’s used complies with SAC’s Initialization key
Password Policy (A secure password has at least 8 characters (up to 32 characters) and
contains at least 3 from 4 complexity rules). For more details, refer to SafeNet Authentication
Client User Guide.

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 15
 Resolved and Known Issues

Issue Severity Synopsis

ASAC- M Summary: Using the salt length in the PSS parameter that is not equal to the hash length of
11099 the appropriate PSS mechanism, causes the C_Verify() command to fail with the CKR_
SIGNATURE_INVALID return value.
Effected environment: All IDPrime based devices and any of the following mechanisms:
CKM_SHA1_RSA_PKCS_PSS, CKM_SHA256_RSA_PKCS_PSS,
CKM_SHA384_RSA_PKCS_PSS and CKM_SHA512_RSA_PKCS_PSS.
Workaround: On IDPrime based devices, use the PSS parameters with the salt length equal
to the hash length.

ASAC- M Summary: It was not possible to authenticate to the VMWare Horizon Client with a smart
10910 card when SingleLogon is configured to 2. This is the expected behavior as Horizon uses
explicit login and Microsoft Base Provider cannot run explicit login for SingleLogon scenarios.
Workaround: Disable SingleLogon by adding the process name (vmware-view.exe) to the
registry and set SingleLogon to 0.
(Refer to ‘Defining a Per Process Property’ in the SafeNet Authentication Client
Administrator Guide).

ASAC- M Summary: The memory allocated on an IDPrime 930 card for keys or data objects may not
10608 be completely freed up when these data objects are deleted. This memory is occupied by the
card for future use (allocation of internal structures).
Therefore, the ‘Free Memory’ reported by SAC (UI or API) may show slightly less memory
than there was before creating these data objects.
Workaround: None (this is the card’s expected behavior)

ASAC- M Summary: By default, the retry counter cache causes the following problem in SAC: when
9288 switching the card between different machines, the true retry counter is not shown until it is
changed on the current machine and the cache is updated.
Workaround: Add the property RetryCountCached=0 under the [General] section:
SafeNet\Authentication\SAC\General registry key.

ASAC- M Summary: Common Criteria devices (840, 940 and 5110CC) do not work with SAC default in
8923 conjunction with OpenTrust client 5.2.0.
Workaround: Disable the Multi-slot support property. See the SAC Administrator Gudie for
more information.

ASAC- M Summary: A Digital Signature PIN operation fails if the Digital Signature PIN (Role#3) and
8267 Digital Signature PUK (Role#4) have different PINPad configurations (PIN Type and
Extended PIN Flags).
Workaround: Ensure that the Digital Signature PIN (Role#3) and Digital Signature PUK
(Role#4) have the same PINPad configuration.

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 16
 Resolved and Known Issues

Issue Severity Synopsis

ASAC- M Summary: Using the eToken Pro (no hash on-board functionality) and eToken 5110 FIPS
7969 (both hash and sign functionalities on-board) device when there are two or more threads
running two PKCS#11 sessions in the same application, the signing operation fails.
Workaround: Peform either one of the following:
> Update the application to use the hash off-board mechanism and then perform the RSA
operation with the token.
> Update the application to synchronize between threads - make the C_SignInit - C_
SignUpdate - C_SignFinal a solid block.
> If there is no option to update the application, enable the hash offboard property:
‘HashOffboard’ in SAC. This allows SAC PKCS#11 to perform the hash off-board
instead of the token.

ASAC- M Summary: Changing the PIN on Firefox using the CT710 PIN Pad does not work.
7932 Workaround: Change the PIN using SAC Tools or SAC tray icon.

ASAC- M Summary: When ClassicClient and SAC are installed side-by-side propagation is done via
7849 regtool only.
Workaround: None.

ASAC- M Summary: An error occurred after a banner was added to the SAC Customization Tool,
7602 followed by the generation of an MSI file.
Workaround: Run the Customization Tool as an Administrator.

ASAC- M Summary: When connecting a .net smart card to the reader on a Windows OS with SAC
7228 installed, the
[HKEY_LOCAL_
MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards]
registry changed
From: Smart Card Key Storage Provider=SafeNet Smart Card Key Storage Provider
To: Smart Card Key Storage Provider=Microsoft Smart Card Key Storage Provider
Workaround: Uninstall SAC or use the repair option by going to Control Panel > Add
Remove Programs.

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 17
 Resolved and Known Issues

Issue Severity Synopsis

ASAC- M Summary: Performing a remote desktop connection from a system which has Minidriver
6788 installed, to a system with SAC installed, causes RDP errors after entering the smart card
ASAC- PIN.
2429
NOTE This is the default behavior of the RDP, when the CredSSP protocol is
used during an RDP session, and when the CSP names differ on a client and a
server.
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives
/MS-CSSP/[MS-
CSSP].pdf|https://winprotocoldoc.blob.core.windows.net/productionwindo
wsarchives/MS-CSSP/%5bMS-CSSP%5d.pdf

CSP name is passed from the client to the server during the CredSSP handshake, which is
why the first attempt fails, but the second one succeeds because it uses the CSP name
that’s local to the server.
For more information, refer to the official document: 2.2.1.2.2 TSSmartCardCreds.
Workaround:
1. Upgrade the RDP version on the machine.
2. Edit the RDP file (on the Client) by following these steps:
a. Open the Remote Desktop connection window.
b. Click Show Options.
c. Under Connection Settings, click Save as, and save the RDP file locally.
d. Open the file using Notepad.
e. Add enablecredsspsupport:i:0 at the end of the RDP file and then save the file.
f. Connect to the server using the edited RDP file.

For more details, refer to:

> https://support.microsoft.com/en-us/kb/941641
> https://technet.microsoft.com/en-us/library/ff393660(v=ws.10).aspx

ASAC- M Summary: When using PKCS#11 mechanisms CKM_SHA256_RSA_PKCS (eToken 5110

6585 GA and FIPS) and CKM_SHA1_RSA_PKCS (eToken 5110 GA), and the data hashing is
done on-board. The on-board hashing causes the process to slow down and possible failure in
multi-threading implementations.
Workaround:
> Use separate hashing and signing mechanisms.
> Synchronize multi-threading implementations.
> Define a new DWORD32 with the name "HashOffboard" and value = 1 under
HKLM\Software\SafeNet\Authentication\SAC\Crypto. This enables SAC to
perform off-board hashing instead of on-board.

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 18
 Resolved and Known Issues

Issue Severity Synopsis

ASAC- M Summary: Generating an msi file when the My Documents folder is redirected to the network
6344 does not work.
Workaround: Create a folder named Documents under \Users%username%.

ASAC- M Summary: VMView client may not work properly with SAC when using a smart card
6214 certificate.
Workaround: Install SAC before installing the VMView Client.

ASAC- M Summary: IDPrime smart cards cannot sign plain data longer than 36 bytes for RSA or ECC
6191 keys.
Workaround: None

ASAC- M Summary: When SAC (with the SafeNet Minidriver profile) is used with an IDPrime 830
6098 smart card on Windows 10, the PIN prompt is displayed only after 10 seconds between the
signing operations.
Workaround: This is Windows default ‘Power Saving’ mode.  This feature sends the Power
Off command (63 00 00 …) to the reader after about 20-30 seconds after any transaction to
the smart card is completed. Configure the following registry key to change the delay period
in seconds:
CardDisconnectPowerDownDelay in HK_local_
machine\software\microsoft\cryptography\calais
http://opensc.1086184.n5.nabble.com/smart-card-reset-after-5-seconds-on-
Windows-td15563.html.

ASAC- M Summary: Windows 10 (1709) crashes when verifying SafeNet Drivers using the Microsoft
6079 Windows Driver Verifier tool.
Workaround: Use the CCID drivers (without installing eToken drivers).

ASAC- M Summary: Performing smart card authentication to the WiFi network on Windows 10 (1709)
6058 was not possible as the smart card logon window was not displayed.
Workaround: Install Microsoft KB 4089848.
(Customer ID: CS0514040, CS0543595)

ASAC- M Summary: When working with a token or a PIN pad reader on a VM Workstation, the token
5815 might be unrecognized when selecting the "Shared" device in VM > Removable Devices
menu.
Workaround: Connect the device that is not under the "Shared" devices list in order to work
with the eToken/reader device.

ASAC- M Summary: When using a PIN Pad reader with the Smart Card initialized with the ‘Must
5343 change password’ flag enabled, and the password is changed on the same machine, the user
may encounter an issue and receive an "Incorrect password" message. The issue will not
occur if the card is initialized on one machine and the password is changed on another.
Workaround: Delete the cache folder (C:\Windows\Temp\eToken.cache) after initialization
and before changing the password.

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 19
 Resolved and Known Issues

Issue Severity Synopsis

ASAC- M Summary: When trying to log onto a locked device, two messages are shown instead of one.
5306 Workaround: Close both windows.

ASAC- M Summary: When connecting a non-Pin Pad reader, an incorrect message is displayed in the
5201 event viewer.
Workaround: To disable Pin Pad support, create a REG_DWORD value called "NoPinPad"
under the key
HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\Authentication\SAC\General and
set its value to 1.
On 64-bit machines, you additionally need to do the same under the key:
HKEY_LOCAL_
MACHINE\SOFTWARE\Wow6432Node\SafeNet\Authentication\SAC\General

ASAC- M Summary: Generating a customized .msi file with a previous xml file (taken from an earlier
4516 SAC version) is not supported.
Workaround: Make sure you create a new configuration with the same settings in the current
SAC version.

ASAC- M Summary: When rebooting a PC after placing an IDPrime 3811 MD contactless card on a
4504 reader, the following error message appears: “No valid certificates were found on this smart
card….”.
Workaround: Remove the card and then place it back on the reader, the certificate will be
seen, and may be used.

ASAC- M Summary: When Configuring the Maximum Password Usage value to a value other than
4497 zero (0), the password will expire a day later than was defined. For example: set it to 166
days, SAC will show 167 days.
Workaround: None.

ASAC- M Summary: During the unblock operation, no other application can access the device until the
4141 unblock operation is finished or canceled.
Workaround: None.

ASAC- M Summary: When entering an incorrect Digital Signature PIN while enrolling a CC Certificate
4116 onto a CC device in unlinked mode, the enrollment process fails.
Workaround: Retry enrolling the certificate with the correct Digital Signature PIN.

ASAC- M Summary: When unlocking a Common Criteria device (that’s in linked mode) via SAC Tools
4024 and an incorrect Challenge Response is sent, a general error message is received.
Workaround: None.

ASAC- M Summary: When working with a token on VM Workstation, the token might be unrecognized
2653 when selecting the "Shared" device in VM > Removable Devices menu.
Workaround: Connect the device that is not under the "Shared" devices list in order to work
with the eToken device.

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 20
 Resolved and Known Issues

Issue Severity Synopsis

ASAC- M Summary: When a user attempts to generate a customized SAC file with no administrator
2284 privileges, the process fails.
Workaround: Create customized SAC msi file with administrator privileges.

ASAC- M Summary: The process of creating a signed customized MSI with the Customization Tool
2146 takes a while.
Workaround: Wait for the process to end.

ASAC- M Summary:
1740 Scenario 1 - When using jarsigner.exe to sign JAR files, the jarsigner command fails to
ASAC- respond for a while.
2262 Scenario 2 - When performing an Identrust enrollment on Windows Server 2008, Windows 7
or Windows Server 2008 R2, the enrollment fails.
Cause:
In Windows 7, Windows Server 2008, and Windows Server 2008 R2, when an application
using a smartcard has been terminated unexpectedly, it causes other applications that try to
connect to the smartcard to stop responding. This occurs in both local and RDP
environments. This is a Microsoft issue. Microsoft have released Hotfixes that resolve this
issue.
Workaround: Download the following two hotfixes from Microsoft:
Local Scenario: http://support.microsoft.com/kb/2427997
RDP: http://support.microsoft.com/kb/2521923

ASAC- M Summary: When running the repair option from the MSI file wizard, the operation fails.
1722 Workaround: Use the repair option by going to Control Panel > Add Remove Programs.

ASAC- M Summary: When the application runs as a service without the Local System Account
1702 permissions, smart card communication fails.
Workaround: Make sure the service runs with the Local System Account permissions by
adding it manually.
This is a Microsoft by-design known issue. For more details refer to the following Microsoft
support ticket number: 114092811845001.

ASAC- M Summary: When the MS KB http://support.microsoft.com/kb/2830477 is installed in a

819 Windows 7 environment, you are prompted for the token password when you start the RDP.
But after entering the remote machine, you are prompted for the standard user name and
password.
Workaround: Uninstall the MS KB.

ASAC- M Summary: Smart card logon is not supported by default when using tokens with ECC
378 certificates.
Workaround: Perform the following:
In the Local Group Policy Editor, under Local Computer Policy\Administrative
Templates\Windows Components\Smart Card,
enable Allow ECC certificates to be used for logon and authentication.

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 21
 Resolved and Known Issues

Issue Severity Synopsis

ASAC- M Summary: The SAC installation does not load the PKCS#11 module for 32-bit Firefox on a
277 64-bit OS.
ASAC- Workaround: Use 64-bit Firefox, or load the 32-bit PKCS#11 module manually from the
525 System32 folder.

SACINT- M Summary: Unable to sign a Word document via Office 365 (Office on Demand) using SAC.
38 Workaround: Open the saved document from the local machine itself. This enables you to
sign the document successfully.

ASAC- M Summary: VPN fails using IDPrime 930 L3 (with KSP SHA2 certificate) cards.
11149 Workaround: None.

Known Limitations
Issue Severity Synopsis

ASAC- H After locking the Administrator Key (due to an incorrect password being entered too many
11163 times), the IDPrime 940/3940 smart card switches to a locked state and as a result the
device cannot be used (device is unrecognized).

ASAC-  H When a p12 file is imported using Net ID - PKCS#11, it is not visible in Find all objects
14391 method of the SAC- PKCS#11.

ASAC- H When working in a VDI environment, configure the CacheMarkerTimeout property in

12144 the registry. On the host machine go to:
\SafeNet\Authentication\SAC\General.
CacheMarkerTimeout=1
For more details, refer to SafeNet Authentication Client Administrator Guide.

ASAC- M After connecting and using an IDPrime 3811 device (on a contactless reader) the smart
8203 card was not recognized (loss of identification).

ASAC- M On IDPrime MD cards, only CA private certificate objects are supported.

7318

ASAC- M The profile whereby a PUK replaces the Admin Key does not support initializing a device.
6261

ASAC- M IDPrime MD 840 and eToken 5110 CC do not support history size of Password Quality.
4872

ASAC- M IDPrime MD 830B (applet 4.3.5) FIPS L3 does not support RSA 1024, ECC signing with
4531 SHA1 algorithms, as per FIPS/NIST regulations.

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 22
 Resolved and Known Issues

Issue Severity Synopsis

ASAC- M As of SAC 10.2, Symmetric keys created using PKCS#11 without the attributes: CKA_
4363 SENSITIVE = TRUE and CKA_EXTRACTABLE = FALSE, on an eToken Java device
initialized in FIPS/CC mode will face backward compatibility issues on previous SAC
versions.

ASAC- M SafeNet eToken 5110 FIPS does not support RSA 1024 and SHA1 on board, as per
4081 FIPS/NIST regulations.

ASAC- M SafeNet Authentication Client does not support RSA 3072 and 4096 on IDPrime MD,
3980 .NET and eToken devices.
SafeNet Authentication Client does not support Single Sign On with IDPrime .NET and
IDPrime MD cards via PKCS#11 API interface.
For more information, refer to the smart card specification guide.

ASAC- M The following PIN pad limitations exist:

3769 > SC Logon using the PIN Pad via eToken CSP is not supported. The PIN is entered via
the keyboard. Customers can use SafeNet Minidriver to logon via the PIN Pad.
> IDPrime MD 840 and IDPrime MD 3840 cards ignore the “Token password must be
changed on first logon” parameter when working with the PIN pad reader.
> Performing a “Change PIN” operation via PKCS#11 (C_SetPIN) requires the PIN to be
entered again at the end of the process.
> Single Sign On is not supported with PIN Pad readers.

ASAC- M When 'Smart Card is required for interactive logon' is enabled, the ‘Synchronize with
2320 Domain Password’ feature of SAC is not supported (domain passwords cannot be
changed when this option is enabled).

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 23
 Product Documentation

Product Documentation
The following product documentation is associated with this release:
> 007-013560-006_SafeNet Authentication Client 10.8-R8 Windows GA Administrator Guide
> 007-013561-006_SafeNet Authentication Client 10.8-R8 Windows GA User Guide
We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to
be perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct
them in succeeding releases of the product.

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 24
 Support Contacts

Support Contacts
If you encounter a problem while installing, registering, or operating this product, please refer to the
documentation before contacting support. If you cannot resolve the issue, contact your supplier or Thales
Customer Support.
Thales Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is
governed by the support plan arrangements made between Thales and your organization. Please consult this
support plan for further information about your entitlements, including the hours when telephone support is
available to you.

Customer Support Portal

The Customer Support Portal, at https://supportportal.thalesgroup.com, is where you can find solutions for most
common problems. The Customer Support Portal is a comprehensive, fully searchable database of support
resources, including software and firmware downloads, release notes listing known problems and workarounds,
a knowledge base, FAQs, product documentation, technical notes, and more. You can also use the portal to
create and manage support cases.

NOTE You require an account to access the Customer Support Portal. To create a new
account, go to the portal and click on the REGISTER link.

Telephone
The support portal also lists telephone numbers for voice contact (Contact Us).

Email Support
You can also contact technical support by email at [email protected].

SafeNet Authentication Client 10.8 R8 (GA) : Windows Release Notes

October 2022, Copyright © 2022 Thales Group. All rights reserved. 25