Question : C#.NET authenticate computer account against Active Directory

I need to create a standalone application for secured password resets for our help desk. The program should only be run on a predetermined set of computers.

What I am looking at doing is, upon running a program, have it authenticate the computer account against AD. It will then check the computer's group memberships to see if the computer is in the group of computers allowed to run the program. This should reasonably prevent the program from being copied to another computer and still be able to reset passwords. This is step 1. Afterwards, it will authenticate the currently logged-on user account against Active Directory and make sure it has permissions to change passwords. This is step 2.

I can get step 2 to work fine via WindowsIdentity.GetCurrent() and the subsequent WindowsPrincipal and IsInRole member function. However, I cannot find a way to authenticate the current computer account against Active Directory. I tried looking at SPNs, Impersonation, and such, but couldn't get anything working. Basically, what I am looking for is how to authenticate "HOST/computername.domainname" against Active Directory, or similar.

Answer : C#.NET authenticate computer account against Active Directory

OK, based on your requirements and design there is no solution because you need to include service accounts and passwords in the binaries to use impersonation.

When a user runs any executable in their system it automatically uses their personal account.  Using any type of 'Run As' functionality for an account with greater privileges requires hiding the account name and password in code.