This page summarized 'know' solution for connector connection troubleshooting
The connector is using a DNS (depending on the connector partner), with a default value of:
The given URL is registered with DNSSEC enabled, and resolves to a 'localhost' domain.
Although the connector can run in a different mode (http, localhost, custom domain name, etc.), to solve the above issue, the following causes are probable:
DNS Rebind is enforced from your router
The domain name is not whitelisted in your internal network
A local proxy is running and prevents the internal connector communication
An antivirus is blocking the connector communication
Your (custom) DNS server does not contain resolution for localhost and t1c.t1t.io
You can easily test if the connector is running correctly using the following URL:
Depending on the connector (partner related) the port can be different, make sure to verify on which port your connector should be running
Modifying your hosts file enables you to override the domain name system (DNS) for a domain on a specific machine.
Modifying your hosts file causes your local machine to look directly at the Internet Protocol (IP) address that you specify.
Modifying the hosts file involves adding an entries to it. The entry contains the IP address to which you want the DNS to resolve and a version of the Internet address.
When the connector is not reacting, but the installation has succeeded, a DNS Rebind policy can forbid the communication form a web application to the connector's domain name. The default domain name used is: https:t1c.t1t.io
Other than DNS rebind, a DNS server not containing the necessary resolutions for localhost
or t1c.t1t.io
can cause the same issues as a DNS rebind problem.
There are 2 approaches to fix DNS rebind issues:
update the 'host' file of the device (needs admin rights)
update the local router which enforces the DNS Rebind
And 2 for when the configured DNS server does not contain the name resolutions;
update the 'host' file of the device (needs admin rights)
Ask the network administrator to update the DNS server to include name resolutions for localhost
and t1c.t1t.io
[MAC OSX]
The admin password will be asked in the command line. If you open the file with another editor, a pop-up will ask you for the administrator password.
The file will be shown (the example can be different from what is configured on your device)
We need to add an additional line to this file:
Save the file, restart the browser and test the url below
Depending on the connector (partner related) the port can be different, make sure to verify on which port your connector should be running
[WINDOWS]
Open Notepad or an editor of choice and run as administrator the following file:
The contents will look like this
We need to add an additional line to this file:
Select File > Save to save your changes. Restart your browser and test the url below
Depending on the connector (partner related) the port can be different, make sure to verify on which port your connector should be running
The issue happens typically when the device is owned by an administrator in a controlled environment. Any router or firewall, sitting in between the connector and the internet, must comply to whitelist the following domain names by default:
t1c.t1t.io
ds.t1t.io
The latter is a central distribution service, which provides user with installation packages or updates. No personal data ever leaves the local device without explicit user consent.
A local proxy can redirect or capture communciation using a 'localhost' URL. Many proxy solutions exists, so to solve the issue please read the documentation of the specific proxy and configure it to allow or exclude the connector from the applied policies.
An anti-virus has functionalities to protect you from malicious software components. When an anti-virus is present on your device, please allow the connector processes to be trusted.
More information on 'known' solution for anti-virus services can be found: Troubleshooting
With the latest systems of Apple they have switched over from Intel to Arm processors. Apple has provided a translation layer between application that are compatible with Intel but not with Arm.
In the Trust1Connector we have 1 component which relies on this translation layer for some functionality.
During installation on these systems it can show as a "successfull installation" but the installation folder is still missing.
in the console
logs it will show an error that an installation of Rosetta 2 is necessary.
The solution is to enable rosetta 2 and then re-install the Trust1Connector application.
you can enable Rosetta 2 with the following command (administrative password is required)
In some cases the Support Desk will ask for a HAR file. This means an export of the functions that a web-page is executing. This is to see that all the functions that call the Trust1Connector are executed correctly.
Before you use the web application open the developer tools. This can be done by right clicking and click on inspect
This will open a window like this
Next navigate to the network tab in the inspect
window
When this is done, use the web application's functionality and when you are finished or come to an issue you can use the download button to get a HAR file, save the file to your system and send this to the Support Desk
The Smartcard service is a Windows service that manages the connection to the eID and card reader. Therefore, this service must be running for you to be able to access the eID. You can check this as follows:
Open "Windows Services".
Search for "Smartcard service" as shown in the following screenshot:
Check the following Smartcard service settings (based on the screenshot above):
The status column for the Smartcard service shows 'Running'.
The 'Log On As' column shows 'Local Service'.
Are the Smartcard service settings NOT as they should be? Then do whichever of the following two options applies:
1. The Smartcard service is not running.
Start the Smartcard service, as follows:
Double-click the Smartcard service.
Click 'Start' and then 'OK'.
2. The Smartcard service is not logged on as a 'Local Service'.
Double-click the Smartcard service.
Select the second tab, 'Log On'.
Select 'This account'.
Click 'Browse'.
In the white text box, type: loc.
Then click 'Check names'.
The name 'Local service' now appears in the text box.
Then click 'OK'.
Leave the password boxes empty.
Click 'Apply'.
Click 'OK'.
Go back to the first tab, 'General', and restart the service.
Click 'Start'.
Click 'Stop'.
In some cases there is a possibility that the system is not able to retrieve the domain information, in this case the T1C is not usable. To solve this problem you can follow these steps described here; https://www.hostinger.com/tutorials/fix-dns_probe_finished_nxdomain
When installing the T1C the possibility of the errors 2502 or 2503 originate from the fact that permissions in the temp folder (C:\Windows\Temp) are not correct, and since the MSI installer relies on this they need to be correct. You need to have permissions next to the administrator rights.
You need to have permissions as <My User> next to the administrator rights.
More information can be found here; https://answers.microsoft.com/en-us/windows/forum/windows_8-windows_install/windows-8-install-some-software-using-msi/48881523-1a5d-4c43-abc4-01b1ce3ebf3a
The Trust1Connector and some installation files are digitally signed. On some machines however the Trust1Connector is flagged/blocked by an antivirus. Disabling the antivirus temporary can allow the user to install the Trust1Connector for some antivirus tools. Below we provide procedures for some antivirus softwares to be able to install the Trust1Connector.
If the user receives an notification that a script from the Trust1Connector is blocked as shown below:
The procedure at https://support.eset.com/kb2908/?locale=en_US&viewlocale=en_US can be used to solved the issue.
When using the Kaspersky and kaspersky web protection you can add an exclusion rule to the belfiusweb page. After you added this rule, restart the computer to make sure all settings are applied.
If the connector is not starting with the error message: "Can not contact the DS service"
Go to the user folder in %LocalAppData%
Go to BelfiusConnector folder and remove the selected files below:
Restart your pc or mac, and the restart will re-initialise the device keys.
The problem should be solved after executing this step.
Smart Card Reader Issues Tracker for Sonoma
Starting from OSX Sonoma, smart card readers for Mac can fail for the following use cases:
detect card reader
execute transaction (digital signature or authentication)
The general end-user experience is that the smart card communication fails (card reader disseappears or the transaction fails).
A very great shout-out to Ludovic Rousseau who initially did a follow-up on impact of smart card readers in Sonoma:
The initial solution prior to 11/2023 was very elaborate, but was made easy by applying a single command in a MAC OSX terminal:
The command switches the MAC OSX implementation of the CCID drivers to the legacy version (the version working prior to Sonoma).
As MAC OSX defaults using a custom CCID implementation, which still have some issues, switching to the old version is a temporary stolution.
Form a specific moment (not at the time of writing), switching back to the default CCID implementation can be done using the following commands (in a terminal):
Check if the built-in Apple CCID driver is active
If the former command results in:
This means that the built-in Apple driver is active.
The result is 1 so the "external" (non-Apple) CCID driver is enabled.
Returning back to default, execute:
After executing a driver switch, we have noticed that a restart is mandatory!