Overview

Imper.ai enables secure Active Directory password reset operations by connecting to your Domain Controllers over LDAPS (TCP 636) using a Tailscale subnet router deployed within your network.

No software or agent is installed on your Domain Controllers.

All connectivity is initiated from Imper.ai through the encrypted Tailscale network to a subnet router you provision, which then communicates with your Domain Controllers over LDAPS.

Traffic Flow

Imper.ai service → Tailscale secure network → Domain Controller(s) over LDAPS (TCP 636) → Active Directory

• No inbound access into your network

• Communication limited to Domain Controllers

• Encrypted directory communication via LDAPS

• Minimal infrastructure changes required

Prerequisites

Before starting, ensure the following are available:

• A dedicated Linux virtual machine (recommended: Ubuntu Server 22.04 LTS) with network access to your Domain Controllers  

• An Active Directory service account with permission to reset passwords and read directory entries

Integrate with imper

1. Login to imper.ai admin console

2. Navigate to the Integrations page

3. click connect on the Active Directory integration

4. Choose Install AD connector
   

5. Click Export Script and execute it on the router VM. Alternatively, go through all the following instructions.
   Detailed instructions are provided in the subsequent sections of this page.
   

6. Click connect

7. Fill out the following fields
   

8. Click connect
   

Customer Setup Instructions

Step 1 - Provision a Dedicated Subnet Router VM

Deploy a Linux virtual machine to act as the Tailscale subnet router.

Recommended VM configuration

Make sure the virtual machine (VM) is on a network that can communicate with your Active Directory Domain Controllers.

Step 2 - Allow Required Network Connectivity

Ensure the subnet router VM can reach your Domain Controllers and DNS servers.

Required connectivity

Recommended (for DNS resolution)

Step 3 - Run the setup script

Run the setup script in the integration page in imper.ai which includes the following commands.

As part of the script - Imper.ai will provide a Tailscale authentication key for enrolling the subnet router.

3.1 Install Tailscale

Run the following command on the Ubuntu VM:

curl -fsSL https://tailscale.com/install.sh | sh

3.2 Enable and start IPv4 and IPv6 Forwarding

Run:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

3.3 Generate your 4via6 route

Replace <YOUR_SUBNET_CIDR> with the subnet containing your Domain Controllers (e.g. 10.128.0.0/24).

Your site ID is pre-filled:

tailscale debug via <YOUR_SITE_ID> <YOUR_SUBNET_CIDR>

The output is your 4via6 route - an IPv6 address you will advertise in the next step.

3.4 Join the Tailscale network and advertise the 4via6 route

Replace <OUTPUT_OF_PREV_STEP> with the IPv6 route from the previous step:

sudo tailscale up --auth-key=<IMPER_PROVIDED_TAILSCALE_KEY> --hostname=subnet-router-<YOUR_TENANT_NAME> --advertise-routes=<OUTPUT_OF_STEP_3.3>

3.5 Verify LDAPS Connectivity

From the subnet router VM, verify that LDAPS is reachable.

Replace the IP with a real DC IP:

nc -vz 10.50.48.10 636

You should see a successful connection.

Step 4 -  Route approval

After the script completes and the VM is online, notify us that the router is ready.

imper.ai will then approve the advertised route in the Tailscale admin console.

Route approval is separate from access control. A subnet route must be approved before clients can use it.

This step is recommended to enable full TLS verification.

You will need the CA certificate that issued the Domain Controller’s LDAPS certificate.

Export the issuing CA certificate for LDAPS (optional)

option 1 - GUI

On a Domain Controller:

1. Run certlm.msc

2. Go to Personal -> Certificates

3. Locate the issuing CA certificate, for example contoso-ad-EC2AMAZ-LSQPDGV-CA

4. Right-click it

5. Select All Tasks -> Export

6. In the wizard, select No, do not export the private key

7. Select Base-64 encoded X.509 (.CER)

Send the exported .CER file to Imper.ai.

option 2 - PowerShell export by thumbprint

If you know the CA certificate thumbprint:

Export-Certificate -Cert (Get-Item "Cert:\LocalMachine\CA\CA_THUMBPRINT_HERE") -FilePath C:\ldaps-issuing-ca.cer

Then provide C:\ldaps-issuing-ca.cer to imper.ai

What to send (if providing the CA certificate):

1. The exported CA certificate file (Base64 .cer is fine)

2. The LDAPS hostname we should verify (example: dc01.contoso.com)

What Imper.ai Will Configure

After receiving the required information, Imper.ai will:

• Approve the advertised subnet routes in Tailscale

• Restrict access using Tailscale ACLs to:

  • the specified Domain Controller subnets

  • TCP 636 only

• Configure the Imper.ai connector to:

  • Connect using LDAPS (TCP 636)

  • Validate the Domain Controller certificate using your CA certificate (if provided)

  • Authenticate using the provided service account

  • Perform password resets using LDAP operations

Tailscale Auth Key and VM Rebuilds

The Tailscale authentication key is used only once when enrolling the subnet router VM.

No further action is required unless one of the following occurs:

• The subnet router VM is rebuilt or replaced

• The Tailscale state directory (/var/lib/tailscale) is removed

• The node is removed from the Tailscale network

If any of these events occur, contact Imper.ai to obtain a new authentication key.

Common Issues

1. No CA certificate provided

   1. TLS certificate verification is skipped.

   2. The connection still works but with reduced security guarantees.

2. Missing AD permissions

   1. Password reset operations fail because the service account lacks the required delegated rights.