There is some incompatibility between ThinLinc and Net iD that causes smart card authentication to fail.
The error presented to the user is a dialog with:
> Smart card malfunction. Check your hardware.
The log file has this to say:
> 2023-01-10T07:45:00: Getting certificate with id 65537
> 2023-01-10T07:45:00: Certificate found
> 2023-01-10T07:45:00: Logging in...
> 2023-01-10T07:45:00: Querying user for passphrase...
> 2023-01-10T07:45:03: Unexpected token login error: 256
> 2023-01-10T07:45:03: Signature operation failed (256)
256 is CKR_USER_ALREADY_LOGGED_IN, which is a bit unexpected.
The same code can be found in Net iD's debug log:
> Pkcs11 - Failed to login
> Pkcs11 - Return CKR_USER_ALREADY_LOGGED_IN
The problem is that the smart card (correctly) reports that the key is protected by a passphrase. tlclient then assumes the card defaults to a locked state, and needs to be unlocked. This assumption is apparently not true with Net iD.
It is not clear if Net iD is violating the PKCS#11 specification by having the token unlocked, or if tlclient is making assumptions that aren't supported by the specification. We need to look closer at it and see what it says.
The customer who reported this claims that disabling Net iD's SingleSignOn and UseCache settings makes the problem go away. They also state that you can work around it by specifying the wrong passphrase first, followed by the correct one.