Active Directory Integration Guide - Secure Operations via Twingate & LDAPS

  • Updated on May 14, 2026
  • Published on Mar 9, 2026
  • 4 minute(s) read
Prev Next

Overview

Imper.ai enables secure Active Directory password reset and account unlock operations by connecting to your Domain Controllers over LDAPS (TCP 636) using a Twingate subnet router deployed within your network.

No software or agent is installed on your Domain Controllers.

All connectivity is initiated from Imper.ai through the encrypted Twingate network to a subnet router you provision, which then communicates with your Domain Controllers over LDAPS.

Traffic Flow

Imper.ai service → Twingate secure network → Domain Controller(s) over LDAPS (TCP 636) → Active Directory

This design ensures:

  • No inbound access into your network

  • Communication limited to Domain Controllers

  • Encrypted directory communication via LDAPS

  • Minimal infrastructure changes required

Prerequisites

Before starting, ensure the following are available:

  • A dedicated Linux virtual machine (recommended: Ubuntu Server 22.04 LTS) with network access to your Domain Controllers

  • An Active Directory service account with the required permissions to perform the relevant actions

Required Service Account Permissions

Ensure the service account has the appropriate permissions based on the required functionality:

For password reset only:

  • Reset Password

To require users to change their password at next logon:

  • Reset Password

  • Read pwdLastSet

  • Write pwdLastSet

To unlock locked user accounts:

  • Write lockoutTime

Note: Permissions must be granted on the same Organizational Unit (OU) where the managed users are located.

Step 1 - Integrate with imper

  1. Login to imper.ai admin console

  2. Navigate to the Integrations page

  3. click connect on the Active Directory integration

  4. Choose Install AD connector

Step 2 - Provision a Dedicated Subnet Router VM

Deploy a Linux virtual machine to act as the Twingate subnet router.

Parameter

Value

Operating System

Ubuntu Server 22.04 LTS

CPU

2 vCPU

Memory

2 GB RAM

Disk

20 GB

Allow Required Network Connectivity

Ensure the subnet router VM can reach your Domain Controllers and DNS servers.

Required connectivity

source

destination

port

purpose

Subnet Router VM

Domain Controllers

TCP 636

LDAPS

Make sure the virtual machine (VM) is on a network that can communicate with your Active Directory Domain Controllers.

Step 3 - Install & Authenticate Twingate

Click Copy and run the command on the subnet router VM.

The command will download, install and then activate Twingate Connector with the credentials we provide.

Important security note about the credentials

The setup command contains embedded secret credential material for enrollment into the imper.ai Twingate network provisioned for your tenant, including your customer-specific Twingate oauth key.

Treat the credentials as confidential. Do not:

  • Commit it to source control

  • Upload it to shared documentation systems

  • Send it through unsecured channels

  • Reuse it outside the specific subnet router VM it was issued for

The oauth key is used only to enroll the router VM into the network. It is sensitive and should be handled with the same level of care you would apply to private key material or any other infrastructure secret.

Local validation after the installation completes

After the script finishes, validate from the subnet router VM that local LDAPS connectivity to your Domain Controller works.

Note: This check only verifies local connectivity from the router VM to your DC. imper.ai will validate the Twingate path from our side after the route is approved.

Step 3 - Create an Active Directory Service Account

Create a dedicated service account for Imper.ai to perform password resets over LDAPS.

Provide the following details to Imper.ai:

  • Domain controller IP address

  • Service account username (UPN preferred, e.g., svc-imper-ad-reset@contoso.com)

  • Service account password (shared via your secure channel)

This step is recommended to enable full TLS verification.

You will need the CA certificate that issued the Domain Controller’s LDAPS certificate.

Export the issuing CA certificate for LDAPS (optional)

option 1 - GUI

On a Domain Controller:

  1. Run certlm.msc

  2. Go to Personal -> Certificates

  3. Locate the issuing CA certificate, for example contoso-ad-EC2AMAZ-LSQPDGV-CA

  4. Right-click it

  5. Select All Tasks -> Export

  6. In the wizard, select No, do not export the private key

  7. Select Base-64 encoded X.509 (.CER)

Send the exported .CER file to Imper.ai.

option 2 - PowerShell export by thumbprint

If you know the CA certificate thumbprint:

Export-Certificate -Cert (Get-Item "Cert:\LocalMachine\CA\CA_THUMBPRINT_HERE") -FilePath C:\ldaps-issuing-ca.cer

Then provide C:\ldaps-issuing-ca.cer to imper.ai

What to send (if providing the CA certificate):

  1. The exported CA certificate file (Base64 .cer is fine)

  2. The LDAPS hostname we should verify (example: dc01.contoso.com)

After completing, press connect.

What Imper.ai Will Configure Next

After receiving the required information, Imper.ai will:

  • Add a resource for your Domain Controller in the Twingate network

  • Grant your tenant’s AD-Connector access to the Domain Controller resource

    • Only to that resource

    • TCP 636 only

  • Configure the Imper.ai connector to:

    • Connect using LDAPS (TCP 636)

    • Validate the Domain Controller certificate using your CA certificate (if provided)

    • Authenticate using the provided service account

    • Perform password resets or account unlock using LDAP operations

Twingate Auth Key and VM Rebuilds

The Twingate authentication key is saved and used by the router VM to authenticate with the Twingate network.

No further action is required unless one of the following occurs:

  • The subnet router VM is rebuilt or replaced

  • Twingate is uninstalled

  • The node is removed from the Twingate network

If any of these events occur, contact Imper.ai to obtain a new authentication key, and reintegrate.

Troubleshooting

Reset Twingate Connection State (Clean Re-enrollment)

If the Twingate client on the router VM is in a bad state (for example, twingate up hangs, the node does not re-register, or you need to fully start over), reset the local state and re-run the setup script.

  1. Uninstall the Twingate service:

sudo apt purge twingate-connector

  1. Re-run the setup command provided by imper.ai.
    The node will register as a new connector device.

After re-enrollment, proceed normally through the imper.ai admin portal.

Common Issues

  1. No CA certificate provided

    1. TLS certificate verification is skipped.

    2. The connection still works but with reduced security guarantees.

  2. Missing AD permissions

    1. Password reset or account unlock operations fail because the service account lacks the required delegated rights.

Related articles