LoginTC Managed

Overview

LoginTC Managed is a complete on-premises (aka onprem, on-prem) Multi-Factor Authentication solution. It is deployed as a virtual appliance within your organizations network. There are no external dependencies. The solution is ideal for organizations that want to control network flow and their authentication traffic and where user data is residing.

Architecture

LoginTC Managed is a drop-in replacement for LoginTC Cloud for all the LoginTC connectors. So anywhere LoginTC Cloud would be, LoginTC Managed replaces. The solution does not require any external dependencies.

Windows Logon and RDP

Microsoft Active Directory Federation Services

RADIUS with a VPN

Prerequisites

Before proceeding, please ensure you have the following:

  • Computer virtualization software such as VMware ESXiVirtualBox, or Hyper-V
  • Virtual Machine requirements:
    • 2048 MiB RAM
    • 16 GiB disk size
    • 2 CPU
Video Walkthrough
Virtual Appliance Overview

LoginTC Managed runs a firewall with the following open inbound ports:

Port Protocol Purpose
8443 TCP Administrative Web interface
443 TCP Connector API interface

Outbound ports that LoginTC Managed may use:

Port Protocol Purpose
25/587 SMTP (configurable) Sending enrollment emails, Email OTP authentication.
389/636 LDAP / Active Directory (configurable) User enrollment password verification, administrator login.
123 NTP Configured NTP server.

Note: Username and Password
logintc-user is used for console and web access. The default password is managed. You will be asked to change the default password on first boot of the appliance.

Installation

Virtual Appliance Setup

  1. Download the latest LoginTC Managed.
  2. Import the virtual appliance your computer virtualization software
  3. Ensure that LoginTC Managed has a virtual network card
  4. Start the virtual appliance
  5. You will be presented with a console prompt:
  6. Login using the username logintc-user and default password managed:
  7. Once logged in type setup:
  8. Follow the on-screen prompt to setup a new password for logintc-user:
  9. By default the appliance network is not configured. Once on the console dashboard, type 1 and enter to configure the network:
  10. Follow the on-screen prompts to setup the network. When done, type 1 and enter to confirm the settings:
  11. You will be presented with the network configuration which includes the URL to connect to the appliance from a web browser (example https://172.20.221.75:8443):

License Key

  1. Navigate to the URL shown in the console dashboard (example: https://172.20.221.75:8443)
  2. Login using the user logintc-user and the password set in the initial setup:
  3. Click No, how can I get a LoginTC Managed license? if you do not have a license, otherwise click Yes, import LoginTC Managed license:
  4. Contact Sales using the Appliance ID to obtain a license:
  5. Once you have the license, go back and click Yes, import LoginTC Managed license, select your license file then click Import:
  6. Upon successful import, details of the license will be presented:
  7. Click Continue to LoginTC Managed and you will be redirected to the dashboard:
Appliance Settings

NTP Server

To configure how the appliance keeps time.

NOTE: NTP Server must be configured
An NTP server must be configured for the appliance operate accurately. For example, most one-time based passcode authentication methods are based on time and will not function as expected without proper time synchronization in place.

  1. Navigate to APPLIANCE > Settings:
  2. Scroll to the NTP Server section click Edit:
  3. For Enabled select Yes and configure the NTP servers (example uses public NTP servers):

    Configuration values:

    Property Explanation
    Server 1 The primary NTP server
    Server 2 (Optional) The second NTP server
  4. Click Test then click Update to confirm the NTP Server settings:

Note
You may need to login again due to server time change after the NTP configuration.

Organization Details

The organization name and icon can be used for user enrollment and iframe authentication.

  1. Navigate to SETUP > Settings
  2. Scroll to the Organization section click Edit:
  3. Enter new Name and / or change the icon
  4. Click Update to confirm the changes

SMTP Server

To configure how the appliance will send enrollment emails and/or email one-time passcodes.

  1. Navigate to SETUP > Settings
  2. Scroll to the SMTP Server section click Edit:
  3. For Enabled select Yes and configure SMTP settings:

    Configuration details:

    Property Explanation
    Connection Details
    Hostname or IP Address SMTP gateway hostname or IP address
    Port Port number of the SMTP gateway. The default is 25
    Transport Can be one of SMTP, SMTP + STARTTLS or SMTPS
    Username (Optional) Username if required for authentication
    Password (Optional) Password if required for authentication
    Email Details
    From Address (Optional) The from address in emails
    Reply-To Address (Optional) The reply-to address in emails
  4. Click Test then click Update to confirm the SMTP Server settings:

Enrollment Portal

To configure how user enrollment their tokens by receiving an email with a link to an enrollment portal. The enrollment portal is hosted by the LoginTC Managed appliance.

NOTE: SMTP Server Dependency
The enrollment portal relies on sending emails to end users with a link the to portal. The SMTP Server must be configured to leverage the enrollment portal.

  1. Navigate to SETUP > Settings
  2. Scroll to the Enrollment Portal section click Edit:
  3. For Enabled select Yes and configure Enrollment Portal settings:

    Configuration details:

    Property Explanation
    Authentication Methods
    Software Tokens (OTP) Allow users to authenticate with a software token (OTP) using an authenticator app like the LoginTC Authenticator app
    Passcode Grids Allow users to enroll a passcode grid
    Enrollment Email
    Subject Subject line of email
    Body Body line of email
    HTTP Details
    Host The FQDN or IP address of your LoginTC Managed instance that your users will access
    Port The IPv4 port number of your LoginTC Managed instance that your users will access
    Enrollment Portal Link Expiration
    Expires after How long an enrollment portal link is valid for
    First Factor Authentication Enabled
    Enabled Whether the user must enter their username and password after clicking the email link before being able to enroll
  4. Click Test then click Update to confirm the Enrollment Portal settings:

Note: First Factor Authentication
The enrollment portal can be configured to have the user enter their first factor authentication credentials (for example against Active Directory or LDAP compatible user directory) prior to enrolling. This adds an additional protection for enrollment links.

SSL Certificate

There are a variety of ways to generate a certificate as it is dependent on the target environment. Here is tool that runs on Windows that generates Certificate Signing Requests (CSR): DigiCert Certificate Utility for Windows.

To configure the server TLS certificate.

  1. Navigate to SETUP > Settings
  2. Scroll to the SSL Certificate section click Edit
  3. Configure the SSL Certificate servers:

    Configuration values:

    Property Explanation
    Public Certificate A valid PEM format Public Certificate
    Private Key A valid PEM format Private Key
  4. Click Test then click Update to confirm the NTP Server settings:

Time Zone

To configure the server time zone. Default is UTC.

  1. Navigate to SETUP > Settings
  2. Scroll to the Time Zone section click Edit
  3. Select a time zone from the dropdown:
  4. Click Update to confirm the time zone setting:

Administrators

To configure an external directory to manager administrator access.

  1. Navigate to SETUP > Settings
  2. Scroll to the Administrators section click Edit:
  3. For Enabled select Yes and configure Enrollment Portal settings:

    Configuration details:

    Property Explanation
    Connection Details
    IP Address or Host Name The IP Address or Host Name of the Active Directory Server
    Port (Optional) The default is 389 for LDAP and 636 for LDAPS (LDAP + SSL).
    Transport Can be one of SMTP, SMTP + STARTTLS or SMTPS
    Bind Details
    Type Can be one of Bind with credential or Anonymous
    Bind DN DN of an account with read access to the directory. Example: cn:domain,dc=example,dc=com
    Bind Password The password for Bind DN account
    Query Details
    Base DN The top-level DN that usernames will be queried from. Example dc=example,dc=com
    Username Attribute The attribute containing user’s username. Examples: sAMAccountName or uid
    Filter (Optional) A query filter applied to the user query. Examples: (|(objectClass=inetorgperson)(objectClass=user)) or memberof=CN=Domain Admins,CN=users,DC=example,DC=com
    AD Groups
    Super Administrator Role Groups Users in this group will be granted Super Administrator role.
  4. Click Test then click Update to confirm the Administrators settings:

Note: logintc-user Account
The logintc-user account can still log in when the Administrators setting is enabled.

User Language

To configure the user language. Users will receive emails in this language. Default is English.

  1. Navigate to SETUP > Settings
  2. Scroll to the User Language section click Edit
  3. Select a user language from the dropdown:
  4. Click Update to confirm the user language setting:

Username Normalization

Specify whether usernames like “DOMAIN\john.doe” and “john.doe@example.com” are treated as-is or as simply “john.doe”. Default is No.

  1. Navigate to SETUP > Settings
  2. Scroll to the Username Normalization section click Edit
  3. Select Yes or No:
  4. Click Update to confirm the username normalization setting:

Logs

Configure how long to keep Admin and User logs locally and configure sending User and Admin logs to a syslog server.

  1. Navigate to SETUP > Settings
  2. Scroll to the Logs section click Edit
  3. Configure the retention policy and syslog server (optional):

    Configuration details:

    Property Explanation
    Retention Policy
    Keep Logs For Set how long to keep User and Admin logs locally
    Syslog Server Enabled
    Enabled Whether a syslog server is configured
    Server Hostname or IP Address of Syslog server
    Port Port of Syslog server. The default is 514
    Transport Type Can be UDP or TCP
    Log Facility How the syslog server should classify the logs
  4. Click Test then click Update to confirm the logs settings:

License

See Apply License.

API

Retrieve the Organization API Key.

  1. Navigate to SETUP > Settings
  2. Scroll to the API section click Click to view:

Do not share Organization API Key
It is important to not share the Organization API Key.

Supported Authentication Methods

LoginTC Managed supports a wide variety of authentication methods. Currently every method supported requires zero external dependencies.

Software TOTP

A one-time passwords generated on an app. For example LoginTC Authenticator, Google Authenticator, Microsoft Authenticator and generally any authenticator app that supports time-based one-time password (TOTP) specified in IETF RFC 6238.

The LoginTC Authenticator app is available:

Offline Authentication
This authentication method is supported for offline authentication with the LoginTC Windows Logon and RDP Connector.

A variety of use cases can be seen here: LoginTC Passcode

Security Keys (FIDO2)

Security Keys are physical hardware based credentials that work with FIDO2 and WebAuthn.

Offline Authentication
This authentication method is supported for offline authentication with the LoginTC Windows Logon and RDP Connector.

A variety of use cases can be seen here: Security Key

Hardware Token

A one-time password generated on single purpose hardware token device. Using LoginTC Hardware Token and generally any OATH compliant time-based one-time password (TOTP) using 6 or 8 digits and a 30 or 60 seconds time interval.

A variety of use cases can be seen here: Hardware Token

Passcode Grid

A 5×5 grid with uniquely generated 3 letter tuples that can be printed or saved to any device for quick authentication.

Offline Authentication
This authentication method is supported for offline authentication with the LoginTC Windows Logon and RDP Connector.

A variety of use cases can be seen here: Passcode Grid

Bypass Code

User-specific 9 digit code that are created by LoginTC administrators to be used in specific situations, oftentimes an emergency, when all other authentication methods are unavailable.

Offline Authentication
This authentication method is supported for offline authentication with the LoginTC Windows Logon and RDP Connector.

A variety of use cases can be seen here: Bypass Code

Supported LoginTC Connectors

LoginTC Managed is compatible with:

  • LoginTC AD FS Connector 1.2.1+
  • LoginTC Windows Logon and RDP Connector 1.3.1+
  • LoginTC OWA Connector 1.3.3+
  • LoginTC RD Web Access Connector 1.4.0+
  • LoginTC RD Gateway SSO Connector 1.0.0+
  • LoginTC RADIUS Connector 3.0.6+ (* see caveat below)

LoginTC RADIUS Connector Support Caveat
Since push notifications are not currently supported in LoginTC Managed, scenarios that require Direct authentication mode with a push notification are not supported. The only scenario that can only operate this way is Remote Desktop Gateway (RD Gateway) with RADIUS.

REST API

The REST API allows for programmatic actions to a wide variety of use cases.

This guide assumed the FQDN of the LoginTC Managed deployment is:

logintc-managed.example.com

Security

All REST API consumers must use HTTPS. Furthermore, all REST API consumers should check and verify the host’s SSL certificate.

Authentication

Your 64-character Organization API key is used to authenticate your API requests using the standard Authorization HTTP header:

Authorization: LoginTC key="YOUR API KEY"

The 64-character API key is found under the SETUP > Settings in the API section.

Resource Base Path

Resource URLs begin with:

logintc-managed.example.com:8443

For example, to create a new user, POST to:

https://logintc-managed.example.com:8443/rest-api/users

Resources

Create a User

POST /rest-api/users

Create a new user in your organization.

Parameters

Name Description Required
username A 1 to 128-character unique identifier Yes
name A 1 to 128-character real name (can be the same as username) Yes
email The user’s valid email address Yes

Example

$ curl 'https://logintc-managed.example.com:8443/rest-api/users' \
-X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: LoginTC key="dagKNHXY7ad781cve2J6znpPXo7siZlFsm9h481LfDh1ozIgDP8hcrb3YSM4hQxk"' \
--data '{
    "username": "jane.doe",
    "name": "Jane Doe",
    "email": "jane.doe@example.com"
}'
{
  "id": "2af9cae4697ec16d4c478bc5ddf8726c5d6b80a7",
  "username": "jane.doe",
  "name": "Jane Doe",
  "email": "jane.doe@example.com",
  "state": "INACTIVE",
  "retryLimit": 5,
  "hardwareToken": null,
  "softwareToken": null,
  "passcodeGrid": null,
  "u2fToken": null,
  "bypassCodes": []
}

Retrieve a User

GET /rest-api/users/{usernameOrId}

Retrieve a user from your organization.

Parameters

Name Description Required
usernameOrId The username or userId of the user Yes

Example

$ curl 'https://logintc-managed.example.com:8443/rest-api/users/john.doe' \
-X GET \
-H 'Content-Type: application/json' \
-H 'Authorization: LoginTC key="dagKNHXY7ad781cve2J6znpPXo7siZlFsm9h481LfDh1ozIgDP8hcrb3YSM4hQxk"'
{
  "id": "58faa885ef8dd459a2e057c4ba8262956ab9317e",
  "username": "john.doe",
  "name": "John Doe",
  "email": "john.doe@example.com",
  "state": "PENDING",
  "retryLimit": 5,
  "hardwareToken": "5ddd94a34c6e91e0934f58c01649afda9571512e",
  "softwareToken": null,
  "passcodeGrid": null,
  "u2fToken": null,
  "bypassCodes": []
}

Retrieve Users

GET /rest-api/users?page={page}

Retrieve users from your organization in paginated groups of 25.

Parameters

Name Description Required
page The page to retrieve the set of users from No

Example

$ curl 'https://logintc-managed.example.com:8443/rest-api/users?page=1' \
-X GET \
-H 'Content-Type: application/json' \
-H 'Authorization: LoginTC key="dagKNHXY7ad781cve2J6znpPXo7siZlFsm9h481LfDh1ozIgDP8hcrb3YSM4hQxk"'
{
  "users": [
    {
      "id": "2af9cae4697ec16d4c478bc5ddf8726c5d6b80a7",
      "username": "jane.doe",
      "name": "Jane Doe",
      "email": "jane.doe@example.com",
      "state": "INACTIVE",
      "retryLimit": 5,
      "hardwareToken": null,
      "softwareToken": null,
      "passcodeGrid": null,
      "u2fToken": null,
      "bypassCodes": []
    },
    {
      "id": "58faa885ef8dd459a2e057c4ba8262956ab9317e",
      "username": "john.doe",
      "name": "John Doe",
      "email": "john.doe@example.com",
      "state": "PENDING",
      "retryLimit": 5,
      "hardwareToken": "5ddd94a34c6e91e0934f58c01649afda9571512e",
      "softwareToken": null,
      "passcodeGrid": null,
      "u2fToken": null,
      "bypassCodes": []
    }
  ],
  "pageCount": 1,
  "pageSize": 25,
  "currentPage": 1
}

Update a User

PUT /rest-api/users/{usernameOrId}

Update a user in your organization.

Parameters

Name Description Required
name A 1 to 128-character real name (can be the same as username) Yes
email The user’s valid email address Yes

Example

$ curl 'https://logintc-managed.example.com:8443/rest-api/users/john.doe' \
-X PUT \
-H 'Content-Type: application/json' \
-H 'Authorization: LoginTC key="dagKNHXY7ad781cve2J6znpPXo7siZlFsm9h481LfDh1ozIgDP8hcrb3YSM4hQxk"' \
--data '{
    "name": "John Doe",
    "email": "john.doe.new@example.com"
}'
{
  "id": "58faa885ef8dd459a2e057c4ba8262956ab9317e",
  "username": "john.doe",
  "name": "John Doe",
  "email": "john.doe.new@example.com",
  "state": "PENDING",
  "retryLimit": 5,
  "hardwareToken": "5ddd94a34c6e91e0934f58c01649afda9571512e",
  "softwareToken": null,
  "passcodeGrid": null,
  "u2fToken": null,
  "bypassCodes": []
}

Suspend a User

POST /rest-api/users/{usernameOrId}/suspend

Suspend a user in your organization.

Parameters

Name Description Required
usernameOrId The username or userId of the user Yes

Example

$ curl 'https://logintc-managed.example.com:8443/rest-api/users/jane.doe/suspend' \
-X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: LoginTC key="dagKNHXY7ad781cve2J6znpPXo7siZlFsm9h481LfDh1ozIgDP8hcrb3YSM4hQxk"'
{
  "id": "2af9cae4697ec16d4c478bc5ddf8726c5d6b80a7",
  "username": "jane.doe",
  "name": "Jane Doe",
  "email": "jane.doe@example.com",
  "state": "SUSPENDED",
  "retryLimit": 5,
  "hardwareToken": null,
  "softwareToken": null,
  "passcodeGrid": null,
  "u2fToken": null,
  "bypassCodes": []
}

Unsuspend a User

POST /rest-api/users/{usernameOrId}/unsuspend

Unsuspend a user in your organization.

Parameters

Name Description Required
usernameOrId The username or userId of the user Yes

Example

$ curl 'https://logintc-managed.example.com:8443/rest-api/users/jane.doe/unsuspend' \
-X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: LoginTC key="dagKNHXY7ad781cve2J6znpPXo7siZlFsm9h481LfDh1ozIgDP8hcrb3YSM4hQxk"'
{
  "id": "2af9cae4697ec16d4c478bc5ddf8726c5d6b80a7",
  "username": "jane.doe",
  "name": "Jane Doe",
  "email": "jane.doe@example.com",
  "state": "PENDING",
  "retryLimit": 5,
  "hardwareToken": null,
  "softwareToken": null,
  "passcodeGrid": null,
  "u2fToken": null,
  "bypassCodes": []
}

Revoke a User

POST /rest-api/users/{usernameOrId}/revoke

Revoke a user in your organization.

Parameters

Name Description Required
usernameOrId The username or userId of the user Yes

Example

$ curl 'https://logintc-managed.example.com:8443/rest-api/users/jane.doe/revoke' \
-X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: LoginTC key="dagKNHXY7ad781cve2J6znpPXo7siZlFsm9h481LfDh1ozIgDP8hcrb3YSM4hQxk"'
{
  "id": "2af9cae4697ec16d4c478bc5ddf8726c5d6b80a7",
  "username": "jane.doe",
  "name": "Jane Doe",
  "email": "jane.doe@example.com",
  "state": "REVOKE",
  "retryLimit": 5,
  "hardwareToken": null,
  "softwareToken": null,
  "passcodeGrid": null,
  "u2fToken": null,
  "bypassCodes": []
}

Send enrollment email to a User

POST /rest-api/users/{usernameOrId}/enrollment-email

Send an enrollment email to a user in your organization.

Parameters

Name Description Required
usernameOrId The username or userId of the user Yes

Example

$ curl 'https://logintc-managed.example.com:8443/rest-api/users/jane.doe/enrollment-email' \
-X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: LoginTC key="dagKNHXY7ad781cve2J6znpPXo7siZlFsm9h481LfDh1ozIgDP8hcrb3YSM4hQxk"'
{"success":true}

Delete a User

DELETE /rest-api/users/{usernameOrId}

Delete a user in your organization.

Parameters

Name Description Required
usernameOrId The username or userId of the user Yes

Example

$ curl 'https://logintc-managed.example.com:8443/rest-api/users/jane.doe' \
-X DELETE \
-H 'Content-Type: application/json' \
-H 'Authorization: LoginTC key="dagKNHXY7ad781cve2J6znpPXo7siZlFsm9h481LfDh1ozIgDP8hcrb3YSM4hQxk"'
{"success":true}
Apply License

To obtain licenses contact us.

  1. Navigate to SETUP > Settings
  2. Scroll to the License section click Edit
  3. Click Browse and select your LoginTC Managed license key file:
  4. Click Test to validate the license key file:
  5. Click Update to apply the license:
Upgrading

To obtain the latest upgrade packages contact us.

To obtain licenses contact us.

  1. Navigate to APPLIANCE > Upgrade:
  2. Click Upload and select your LoginTC Managed upgrade file:
  3. Click Upload and do not navigate away from the page:
  4. Once upload is complete upgrade by clicking Install Now:
  5. Wait 10-15 minutes for upgrade to complete:

NOTE: Upgrade time
Upgrade can take 10-15 minutes, please be patient.