LoginTC Managed is a complete on-premises (aka onprem) Multi-Factor Authentication solution. It is deployed as a virtual appliance within your organizations network. There are no external dependencies. The solution is ideal for organizations that want to control network flow and their authentication traffic and where user data is residing.
ArchitectureThe above diagram is how LoginTC Managed fits with a Windows Logon and RDP MFA scenario. LoginTC Managed is a drop-in replacement for LoginTC Cloud for all the LoginTC connectors. So anywhere LoginTC Cloud would be, LoginTC Managed replaces. The solution does not require any external dependencies.
PrerequisitesBefore proceeding, please ensure you have the following:
https://172.20.221.75:8443
):https://172.20.221.75:8443
)To configure how the appliance keeps time.
NOTE: NTP Server must be configured
An NTP server must be configured for the appliance operate accurately. For example, most one-time based passcode authentication methods are based on time and will not function as expected without proper time synchronization in place.
Configuration values:
Property | Explanation |
---|---|
Server 1 |
The primary NTP server |
Server 2 (Optional) |
The second NTP server |
Note
You may need to login again due to server time change after the NTP configuration.
The organization name and icon can be used for user enrollment and iframe authentication.
To configure how the appliance will send enrollment emails and/or email one-time passcodes.
Configuration details:
Property | Explanation |
---|---|
Connection Details | |
Hostname or IP Address |
SMTP gateway hostname or IP address |
Port |
Port number of the SMTP gateway. The default is 25 |
Transport |
Can be one of SMTP, SMTP + STARTTLS or SMTPS |
Username (Optional) |
Username if required for authentication |
Password (Optional) |
Password if required for authentication |
Email Details | |
From Address (Optional) |
The from address in emails |
Reply-To Address (Optional) |
The reply-to address in emails |
To configure how user enrollment their tokens by receiving an email with a link to an enrollment portal. The enrollment portal is hosted by the LoginTC Managed appliance.
NOTE: SMTP Server Dependency
The enrollment portal relies on sending emails to end users with a link the to portal. The SMTP Server must be configured to leverage the enrollment portal.
Configuration details:
Property | Explanation |
---|---|
Authentication Methods | |
Software Tokens (OTP) |
Allow users to authenticate with a software token (OTP) using an authenticator app like the LoginTC Authenticator app |
Passcode Grids |
Allow users to enroll a passcode grid |
Enrollment Email | |
Subject |
Subject line of email |
Body |
Body line of email |
HTTP Details | |
Host |
The FQDN or IP address of your LoginTC Managed instance that your users will access |
Port |
The IPv4 port number of your LoginTC Managed instance that your users will access |
Enrollment Portal Link Expiration | |
Expires after |
How long an enrollment portal link is valid for |
First Factor Authentication Enabled | |
Enabled |
Whether the user must enter their username and password after clicking the email link before being able to enroll |
Note: First Factor Authentication
The enrollment portal can be configured to have the user enter their first factor authentication credentials (for example against Active Directory or LDAP compatible user directory) prior to enrolling. This adds an additional protection for enrollment links.
There are a variety of ways to generate a certificate as it is dependent on the target environment. Here is tool that runs on Windows that generates Certificate Signing Requests (CSR): DigiCert Certificate Utility for Windows.
To configure the server TLS certificate.
Configuration values:
Property | Explanation |
---|---|
Public Certificate |
A valid PEM format Public Certificate |
Private Key |
A valid PEM format Private Key |
To configure the server time zone. Default is UTC
.
To configure an external directory to manager administrator access.
Configuration details:
Property | Explanation |
---|---|
Connection Details | |
IP Address or Host Name |
The IP Address or Host Name of the Active Directory Server |
Port (Optional) |
The default is 389 for LDAP and 636 for LDAPS (LDAP + SSL). |
Transport |
Can be one of SMTP, SMTP + STARTTLS or SMTPS |
Bind Details | |
Type |
Can be one of Bind with credential or Anonymous |
Bind DN |
DN of an account with read access to the directory. Example: cn:domain,dc=example,dc=com |
Bind Password |
The password for Bind DN account |
Query Details | |
Base DN |
The top-level DN that usernames will be queried from. Example dc=example,dc=com |
Username Attribute |
The attribute containing user’s username. Examples: sAMAccountName or uid |
Filter (Optional) |
A query filter applied to the user query. Examples: (|(objectClass=inetorgperson)(objectClass=user)) or memberof=CN=Domain Admins,CN=users,DC=example,DC=com |
AD Groups | |
Super Administrator Role Groups |
Users in this group will be granted Super Administrator role. |
Note: logintc-user Account
The logintc-user account can still log in when the Administrators setting is enabled.
To configure the user language. Users will receive emails in this language. Default is English
.
Specify whether usernames like “DOMAIN\john.doe” and “john.doe@example.com” are treated as-is or as simply “john.doe”. Default is No
.
Configure how long to keep Admin and User logs locally and configure sending User and Admin logs to a syslog server.
Configuration details:
Property | Explanation |
---|---|
Retention Policy | |
Keep Logs For |
Set how long to keep User and Admin logs locally |
Syslog Server Enabled | |
Enabled |
Whether a syslog server is configured |
Server |
Hostname or IP Address of Syslog server |
Port |
Port of Syslog server. The default is 514 |
Transport Type |
Can be UDP or TCP |
Log Facility |
How the syslog server should classify the logs |
See Apply License.
Retrieve the Organization API Key.
Do not share Organization API Key
It is important to not share the Organization API Key.
LoginTC Managed runs Rocky Linux 9 with SELinux. A firewall runs with the following open ports:
Port | Protocol | Purpose |
---|---|---|
8443 | TCP | Web interface |
443 | TCP | Connector API interface |
Note: Username and Password
logintc-user
is used for console and web access. The default password is managed
. You will be asked to change the default password on first boot of the appliance.
LoginTC Managed supports a wide variety of authentication methods. Currently every method supported requires zero external dependencies.
A one-time passwords generated on an app. For example LoginTC Authenticator, Google Authenticator, Microsoft Authenticator and generally any authenticator app that supports time-based one-time password (TOTP) specified in IETF RFC 6238.
The LoginTC Authenticator app is available:
Offline Authentication
This authentication method is supported for offline authentication with the LoginTC Windows Logon and RDP Connector.
A variety of use cases can be seen here: LoginTC Passcode
A one-time password generated on single purpose hardware token device. Using LoginTC Hardware Token and generally any OATH compliant time-based one-time password (TOTP) using 6 or 8 digits and a 30 or 60 seconds time interval.
A variety of use cases can be seen here: Hardware Token
A 5×5 grid with uniquely generated 3 letter tuples that can be printed or saved to any device for quick authentication.
Offline Authentication
This authentication method is supported for offline authentication with the LoginTC Windows Logon and RDP Connector.
A variety of use cases can be seen here: Passcode Grid
User-specific 9 digit code that are created by LoginTC administrators to be used in specific situations, oftentimes an emergency, when all other authentication methods are unavailable.
Offline Authentication
This authentication method is supported for offline authentication with the LoginTC Windows Logon and RDP Connector.
A variety of use cases can be seen here: Bypass Code
Supported LoginTC ConnectorsLoginTC Managed is compatible with:
LoginTC RADIUS Connector Support Caveat
Since push notifications are not currently supported in LoginTC Managed, scenarios that require Direct authentication mode with a push notification are not supported. The only scenario that can only operate this way is Remote Desktop Gateway (RD Gateway) with RADIUS.
To obtain licenses contact us.
To obtain the latest upgrade packages contact us.
To obtain licenses contact us.
NOTE: Upgrade time
Upgrade can take 10-15 minutes, please be patient.