LoginTC Managed

Overview

LoginTC Managed is a complete on-premises (aka onprem, on-prem) Multi-Factor Authentication solution. It is deployed as a virtual appliance within your organizations network. There are no external dependencies. The solution is ideal for organizations that want to control network flow and their authentication traffic and where user data is residing.

Architecture

LoginTC Managed is a drop-in replacement for LoginTC Cloud for all the LoginTC connectors. So anywhere LoginTC Cloud would be, LoginTC Managed replaces. The solution does not require any external dependencies.

Windows Logon and RDP

Microsoft Active Directory Federation Services

RADIUS with a VPN

Prerequisites

Before proceeding, please ensure you have the following:

Computer virtualization software such as VMware ESXi, VirtualBox, or Hyper-V
Virtual Machine requirements:
- 2048 MiB RAM
- 16 GiB disk size
- 2 CPU

Virtual Appliance Overview

LoginTC Managed runs a firewall with the following open inbound ports:

Port	Protocol	Purpose
8443	TCP	Administrative Web interface
443	TCP	Connector API interface

Outbound ports that LoginTC Managed may use:

Port	Protocol	Purpose
25/587	SMTP (configurable)	Sending enrollment emails, Email OTP authentication.
389/636	LDAP / Active Directory (configurable)	User enrollment password verification, administrator login.
123	NTP	Configured NTP server.

Note: Username and Password
logintc-user is used for console and web access. The default password is managed. You will be asked to change the default password on first boot of the appliance.

Installation

Virtual Appliance Setup

Download the latest LoginTC Managed.
- Contact Sales for a copy of the virtual appliance
Import the virtual appliance your computer virtualization software
Ensure that LoginTC Managed has a virtual network card
Start the virtual appliance
You will be presented with a console prompt:
Login using the username logintc-user and default password managed:
Once logged in type setup:
Follow the on-screen prompt to setup a new password for logintc-user:
By default the appliance network is not configured. Once on the console dashboard, type 1 and enter to configure the network:
Follow the on-screen prompts to setup the network. When done, type 1 and enter to confirm the settings:
You will be presented with the network configuration which includes the URL to connect to the appliance from a web browser (example https://172.20.221.75:8443):

License Key

Navigate to the URL shown in the console dashboard (example: https://172.20.221.75:8443)
Login using the user logintc-user and the password set in the initial setup:
Click No, how can I get a LoginTC Managed license? if you do not have a license, otherwise click Yes, import LoginTC Managed license:
Contact Sales using the Appliance ID to obtain a license:
Once you have the license, go back and click Yes, import LoginTC Managed license, select your license file then click Import:
Upon successful import, details of the license will be presented:
Click Continue to LoginTC Managed and you will be redirected to the dashboard:

Appliance Settings

NTP Server

To configure how the appliance keeps time.

NOTE: NTP Server must be configured
An NTP server must be configured for the appliance operate accurately. For example, most one-time based passcode authentication methods are based on time and will not function as expected without proper time synchronization in place.

Navigate to APPLIANCE > Settings:
Scroll to the NTP Server section click Edit:
For Enabled select Yes and configure the NTP servers (example uses public NTP servers):
Configuration values:

Property Explanation

Server 1 The primary NTP server

Server 2 (Optional) The second NTP server
Click Test then click Update to confirm the NTP Server settings:

Property	Explanation
`Server 1`	The primary NTP server
`Server 2` (Optional)	The second NTP server

Note
You may need to login again due to server time change after the NTP configuration.

Organization Details

The organization name and icon can be used for user enrollment and iframe authentication.

Navigate to SETUP > Settings
Scroll to the Organization section click Edit:
Enter new Name and / or change the icon
Click Update to confirm the changes

SMTP Server

To configure how the appliance will send enrollment emails and/or email one-time passcodes.

Navigate to SETUP > Settings
Scroll to the SMTP Server section click Edit:

For Enabled select Yes and configure SMTP settings:

Configuration details:

Property	Explanation
Connection Details
`Hostname or IP Address`	SMTP gateway hostname or IP address
`Port`	Port number of the SMTP gateway. The default is 25
`Transport`	Can be one of SMTP, SMTP + STARTTLS or SMTPS
`Username` (Optional)	Username if required for authentication
`Password` (Optional)	Password if required for authentication
Email Details
`From Address` (Optional)	The from address in emails
`Reply-To Address` (Optional)	The reply-to address in emails

Click Test then click Update to confirm the SMTP Server settings:

Enrollment Portal

To configure how user enrollment their tokens by receiving an email with a link to an enrollment portal. The enrollment portal is hosted by the LoginTC Managed appliance.

NOTE: SMTP Server Dependency
The enrollment portal relies on sending emails to end users with a link the to portal. The SMTP Server must be configured to leverage the enrollment portal.

Navigate to SETUP > Settings
Scroll to the Enrollment Portal section click Edit:

For Enabled select Yes and configure Enrollment Portal settings:

Configuration details:

Property	Explanation
Authentication Methods
`Software Tokens (OTP)`	Allow users to authenticate with a software token (OTP) using an authenticator app like the LoginTC Authenticator app
`Passcode Grids`	Allow users to enroll a passcode grid
Enrollment Email
`Subject`	Subject line of email
`Body`	Body line of email
HTTP Details
`Host`	The FQDN or IP address of your LoginTC Managed instance that your users will access
`Port`	The IPv4 port number of your LoginTC Managed instance that your users will access
Enrollment Portal Link Expiration
`Expires after`	How long an enrollment portal link is valid for
First Factor Authentication Enabled
`Enabled`	Whether the user must enter their username and password after clicking the email link before being able to enroll

Click Test then click Update to confirm the Enrollment Portal settings:

Note: First Factor Authentication
The enrollment portal can be configured to have the user enter their first factor authentication credentials (for example against Active Directory or LDAP compatible user directory) prior to enrolling. This adds an additional protection for enrollment links.

SSL Certificate

There are a variety of ways to generate a certificate as it is dependent on the target environment. Here is tool that runs on Windows that generates Certificate Signing Requests (CSR): DigiCert Certificate Utility for Windows.

To configure the server TLS certificate.

Navigate to SETUP > Settings
Scroll to the SSL Certificate section click Edit
Configure the SSL Certificate servers:
Configuration values:

Property Explanation

Public Certificate A valid PEM format Public Certificate

Private Key A valid PEM format Private Key
Click Test then click Update to confirm the NTP Server settings:

Property	Explanation
`Public Certificate`	A valid PEM format Public Certificate
`Private Key`	A valid PEM format Private Key

Time Zone

To configure the server time zone. Default is UTC.

Navigate to SETUP > Settings
Scroll to the Time Zone section click Edit
Select a time zone from the dropdown:
Click Update to confirm the time zone setting:

Administrators

To configure an external directory to manager administrator access.

Navigate to SETUP > Settings
Scroll to the Administrators section click Edit:

For Enabled select Yes and configure Enrollment Portal settings:

Configuration details:

Property	Explanation
Connection Details
`IP Address or Host Name`	The IP Address or Host Name of the Active Directory Server
`Port` (Optional)	The default is 389 for LDAP and 636 for LDAPS (LDAP + SSL).
`Transport`	Can be one of SMTP, SMTP + STARTTLS or SMTPS
Bind Details
`Type`	Can be one of Bind with credential or Anonymous
`Bind DN`	DN of an account with read access to the directory. Example: cn:domain,dc=example,dc=com
`Bind Password`	The password for Bind DN account
Query Details
`Base DN`	The top-level DN that usernames will be queried from. Example dc=example,dc=com
`Username Attribute`	The attribute containing user’s username. Examples: sAMAccountName or uid
`Filter` (Optional)	A query filter applied to the user query. Examples: (\|(objectClass=inetorgperson)(objectClass=user)) or memberof=CN=Domain Admins,CN=users,DC=example,DC=com
AD Groups
`Super Administrator Role Groups`	Users in this group will be granted Super Administrator role.

Click Test then click Update to confirm the Administrators settings:

Note: logintc-user Account
The logintc-user account can still log in when the Administrators setting is enabled.

User Language

To configure the user language. Users will receive emails in this language. Default is English.

Navigate to SETUP > Settings
Scroll to the User Language section click Edit
Select a user language from the dropdown:
Click Update to confirm the user language setting:

Username Normalization

Specify whether usernames like “DOMAIN\john.doe” and “john.doe@example.com” are treated as-is or as simply “john.doe”. Default is No.

Navigate to SETUP > Settings
Scroll to the Username Normalization section click Edit
Select Yes or No:
Click Update to confirm the username normalization setting:

Logs

Configure how long to keep Admin and User logs locally and configure sending User and Admin logs to a syslog server.

Navigate to SETUP > Settings
Scroll to the Logs section click Edit

Configure the retention policy and syslog server (optional):

Configuration details:

Property	Explanation
Retention Policy
`Keep Logs For`	Set how long to keep User and Admin logs locally
Syslog Server Enabled
`Enabled`	Whether a syslog server is configured
`Server`	Hostname or IP Address of Syslog server
`Port`	Port of Syslog server. The default is 514
`Transport Type`	Can be UDP or TCP
`Log Facility`	How the syslog server should classify the logs

Click Test then click Update to confirm the logs settings:

License

See Apply License.

API

Retrieve the Organization API Key.

Navigate to SETUP > Settings
Scroll to the API section click Click to view:

Do not share Organization API Key
It is important to not share the Organization API Key.

Supported Authentication Methods

LoginTC Managed supports a wide variety of authentication methods. Currently every method supported requires zero external dependencies.

Software TOTP

A one-time passwords generated on an app. For example LoginTC Authenticator, Google Authenticator, Microsoft Authenticator and generally any authenticator app that supports time-based one-time password (TOTP) specified in IETF RFC 6238.

The LoginTC Authenticator app is available:

Offline Authentication
This authentication method is supported for offline authentication with the LoginTC Windows Logon and RDP Connector.

A variety of use cases can be seen here: LoginTC Passcode

Security Keys (FIDO2)

Security Keys are physical hardware based credentials that work with FIDO2 and WebAuthn.

Offline Authentication
This authentication method is supported for offline authentication with the LoginTC Windows Logon and RDP Connector.

A variety of use cases can be seen here: Security Key

Hardware Token

A one-time password generated on single purpose hardware token device. Using LoginTC Hardware Token and generally any OATH compliant time-based one-time password (TOTP) using 6 or 8 digits and a 30 or 60 seconds time interval.

A variety of use cases can be seen here: Hardware Token

Passcode Grid

A 5×5 grid with uniquely generated 3 letter tuples that can be printed or saved to any device for quick authentication.

Offline Authentication
This authentication method is supported for offline authentication with the LoginTC Windows Logon and RDP Connector.

A variety of use cases can be seen here: Passcode Grid

Bypass Code

User-specific 9 digit code that are created by LoginTC administrators to be used in specific situations, oftentimes an emergency, when all other authentication methods are unavailable.

Offline Authentication
This authentication method is supported for offline authentication with the LoginTC Windows Logon and RDP Connector.

A variety of use cases can be seen here: Bypass Code

Supported LoginTC Connectors

LoginTC Managed is compatible with:

LoginTC AD FS Connector 1.2.1+
LoginTC Windows Logon and RDP Connector 1.3.1+
LoginTC OWA Connector 1.3.3+
LoginTC RD Web Access Connector 1.4.0+
LoginTC RD Gateway SSO Connector 1.0.0+
LoginTC RADIUS Connector 3.0.6+ (* see caveat below)

LoginTC RADIUS Connector Support Caveat
Since push notifications are not currently supported in LoginTC Managed, scenarios that require Direct authentication mode with a push notification are not supported. The only scenario that can only operate this way is Remote Desktop Gateway (RD Gateway) with RADIUS.

REST API

The REST API allows for programmatic actions to a wide variety of use cases.

This guide assumed the FQDN of the LoginTC Managed deployment is:

logintc-managed.example.com

Security

All REST API consumers must use HTTPS. Furthermore, all REST API consumers should check and verify the host’s SSL certificate.

Authentication

Your 64-character Organization API key is used to authenticate your API requests using the standard Authorization HTTP header:

Authorization: LoginTC key="YOUR API KEY"

The 64-character API key is found under the SETUP > Settings in the API section.

Resource Base Path

Resource URLs begin with:

logintc-managed.example.com:8443

For example, to create a new user, POST to:

https://logintc-managed.example.com:8443/rest-api/users

Resources

Create a User

POST /rest-api/users

Create a new user in your organization.

Parameters

Name	Description	Required
`username`	A 1 to 128-character unique identifier	Yes
`name`	A 1 to 128-character real name (can be the same as `username`)	Yes
`email`	The user’s valid email address	Yes

Example

cURL

$ curl 'https://logintc-managed.example.com:8443/rest-api/users' \
-X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: LoginTC key="dagKNHXY7ad781cve2J6znpPXo7siZlFsm9h481LfDh1ozIgDP8hcrb3YSM4hQxk"' \
--data '{
    "username": "jane.doe",
    "name": "Jane Doe",
    "email": "jane.doe@example.com"
}'

{
  "id": "2af9cae4697ec16d4c478bc5ddf8726c5d6b80a7",
  "username": "jane.doe",
  "name": "Jane Doe",
  "email": "jane.doe@example.com",
  "state": "INACTIVE",
  "retryLimit": 5,
  "hardwareToken": null,
  "softwareToken": null,
  "passcodeGrid": null,
  "u2fToken": null,
  "bypassCodes": []
}

Retrieve a User

GET /rest-api/users/{usernameOrId}

Retrieve a user from your organization.

Parameters

Name	Description	Required
`usernameOrId`	The username or userId of the user	Yes

Example

cURL

$ curl 'https://logintc-managed.example.com:8443/rest-api/users/john.doe' \
-X GET \
-H 'Content-Type: application/json' \
-H 'Authorization: LoginTC key="dagKNHXY7ad781cve2J6znpPXo7siZlFsm9h481LfDh1ozIgDP8hcrb3YSM4hQxk"'

{
  "id": "58faa885ef8dd459a2e057c4ba8262956ab9317e",
  "username": "john.doe",
  "name": "John Doe",
  "email": "john.doe@example.com",
  "state": "PENDING",
  "retryLimit": 5,
  "hardwareToken": "5ddd94a34c6e91e0934f58c01649afda9571512e",
  "softwareToken": null,
  "passcodeGrid": null,
  "u2fToken": null,
  "bypassCodes": []
}

Retrieve Users

GET /rest-api/users?page={page}

Retrieve users from your organization in paginated groups of 25.

Parameters

Name	Description	Required
`page`	The page to retrieve the set of users from	No

Example

cURL

$ curl 'https://logintc-managed.example.com:8443/rest-api/users?page=1' \
-X GET \
-H 'Content-Type: application/json' \
-H 'Authorization: LoginTC key="dagKNHXY7ad781cve2J6znpPXo7siZlFsm9h481LfDh1ozIgDP8hcrb3YSM4hQxk"'

{
  "users": [
    {
      "id": "2af9cae4697ec16d4c478bc5ddf8726c5d6b80a7",
      "username": "jane.doe",
      "name": "Jane Doe",
      "email": "jane.doe@example.com",
      "state": "INACTIVE",
      "retryLimit": 5,
      "hardwareToken": null,
      "softwareToken": null,
      "passcodeGrid": null,
      "u2fToken": null,
      "bypassCodes": []
    },
    {
      "id": "58faa885ef8dd459a2e057c4ba8262956ab9317e",
      "username": "john.doe",
      "name": "John Doe",
      "email": "john.doe@example.com",
      "state": "PENDING",
      "retryLimit": 5,
      "hardwareToken": "5ddd94a34c6e91e0934f58c01649afda9571512e",
      "softwareToken": null,
      "passcodeGrid": null,
      "u2fToken": null,
      "bypassCodes": []
    }
  ],
  "pageCount": 1,
  "pageSize": 25,
  "currentPage": 1
}

Update a User

PUT /rest-api/users/{usernameOrId}

Update a user in your organization.

Parameters

Name	Description	Required
`name`	A 1 to 128-character real name (can be the same as `username`)	Yes
`email`	The user’s valid email address	Yes

Example

cURL

$ curl 'https://logintc-managed.example.com:8443/rest-api/users/john.doe' \
-X PUT \
-H 'Content-Type: application/json' \
-H 'Authorization: LoginTC key="dagKNHXY7ad781cve2J6znpPXo7siZlFsm9h481LfDh1ozIgDP8hcrb3YSM4hQxk"' \
--data '{
    "name": "John Doe",
    "email": "john.doe.new@example.com"
}'

{
  "id": "58faa885ef8dd459a2e057c4ba8262956ab9317e",
  "username": "john.doe",
  "name": "John Doe",
  "email": "john.doe.new@example.com",
  "state": "PENDING",
  "retryLimit": 5,
  "hardwareToken": "5ddd94a34c6e91e0934f58c01649afda9571512e",
  "softwareToken": null,
  "passcodeGrid": null,
  "u2fToken": null,
  "bypassCodes": []
}

Suspend a User

POST /rest-api/users/{usernameOrId}/suspend

Suspend a user in your organization.

Parameters

Name	Description	Required
`usernameOrId`	The username or userId of the user	Yes

Example

cURL

$ curl 'https://logintc-managed.example.com:8443/rest-api/users/jane.doe/suspend' \
-X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: LoginTC key="dagKNHXY7ad781cve2J6znpPXo7siZlFsm9h481LfDh1ozIgDP8hcrb3YSM4hQxk"'

{
  "id": "2af9cae4697ec16d4c478bc5ddf8726c5d6b80a7",
  "username": "jane.doe",
  "name": "Jane Doe",
  "email": "jane.doe@example.com",
  "state": "SUSPENDED",
  "retryLimit": 5,
  "hardwareToken": null,
  "softwareToken": null,
  "passcodeGrid": null,
  "u2fToken": null,
  "bypassCodes": []
}

Unsuspend a User

POST /rest-api/users/{usernameOrId}/unsuspend

Unsuspend a user in your organization.

Parameters

Name	Description	Required
`usernameOrId`	The username or userId of the user	Yes

Example

cURL

$ curl 'https://logintc-managed.example.com:8443/rest-api/users/jane.doe/unsuspend' \
-X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: LoginTC key="dagKNHXY7ad781cve2J6znpPXo7siZlFsm9h481LfDh1ozIgDP8hcrb3YSM4hQxk"'

{
  "id": "2af9cae4697ec16d4c478bc5ddf8726c5d6b80a7",
  "username": "jane.doe",
  "name": "Jane Doe",
  "email": "jane.doe@example.com",
  "state": "PENDING",
  "retryLimit": 5,
  "hardwareToken": null,
  "softwareToken": null,
  "passcodeGrid": null,
  "u2fToken": null,
  "bypassCodes": []
}

Revoke a User

POST /rest-api/users/{usernameOrId}/revoke

Revoke a user in your organization.

Parameters

Name	Description	Required
`usernameOrId`	The username or userId of the user	Yes

Example

cURL

$ curl 'https://logintc-managed.example.com:8443/rest-api/users/jane.doe/revoke' \
-X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: LoginTC key="dagKNHXY7ad781cve2J6znpPXo7siZlFsm9h481LfDh1ozIgDP8hcrb3YSM4hQxk"'

{
  "id": "2af9cae4697ec16d4c478bc5ddf8726c5d6b80a7",
  "username": "jane.doe",
  "name": "Jane Doe",
  "email": "jane.doe@example.com",
  "state": "REVOKE",
  "retryLimit": 5,
  "hardwareToken": null,
  "softwareToken": null,
  "passcodeGrid": null,
  "u2fToken": null,
  "bypassCodes": []
}

Send enrollment email to a User

POST /rest-api/users/{usernameOrId}/enrollment-email

Send an enrollment email to a user in your organization.

Parameters

Name	Description	Required
`usernameOrId`	The username or userId of the user	Yes

Example

cURL

$ curl 'https://logintc-managed.example.com:8443/rest-api/users/jane.doe/enrollment-email' \
-X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: LoginTC key="dagKNHXY7ad781cve2J6znpPXo7siZlFsm9h481LfDh1ozIgDP8hcrb3YSM4hQxk"'

{"success":true}

Delete a User

DELETE /rest-api/users/{usernameOrId}

Delete a user in your organization.

Parameters

Name	Description	Required
`usernameOrId`	The username or userId of the user	Yes

Example

cURL

$ curl 'https://logintc-managed.example.com:8443/rest-api/users/jane.doe' \
-X DELETE \
-H 'Content-Type: application/json' \
-H 'Authorization: LoginTC key="dagKNHXY7ad781cve2J6znpPXo7siZlFsm9h481LfDh1ozIgDP8hcrb3YSM4hQxk"'

{"success":true}

Apply License

To obtain licenses contact us.

Navigate to SETUP > Settings
Scroll to the License section click Edit
Click Browse and select your LoginTC Managed license key file:
Click Test to validate the license key file:
Click Update to apply the license:

Upgrading

To obtain the latest upgrade packages contact us.

To obtain licenses contact us.

Navigate to APPLIANCE > Upgrade:
Click Upload and select your LoginTC Managed upgrade file:
Click Upload and do not navigate away from the page:
Once upload is complete upgrade by clicking Install Now:
Wait 10-15 minutes for upgrade to complete:

NOTE: Upgrade time
Upgrade can take 10-15 minutes, please be patient.