How to create a C# service on many network PC's that all impersonate a single AD user account

Question

I'm not really sure how to attack this and would appreciate any ideas. I have about 20 custom c# applications distributed throughout our Windows network of about 100 domain joined PC's. One of the applications is an app that sets and gets permissions for all the individual functions of all the other applications and where the permission data is stored in an MSSQL DB.

Once the c# apps get past our permission app, I want the c# apps to be able to access network resources such as directories and SQL functions all as the same user so that I don't have to manage permissions on directories or tables and stored procedures for multiple users who come and go. That part is already done in the permission app and would be redundant.

I was thinking that I would be looking at a service that runs on the server that would impersonate the user and the c# client service would make requests to the server service. Without the server service, I would be looking at setting all the client services to impersonate the same user.

Am I even in the ballpark?

Answer 1

To solve this, you'll need to do two things:

1. Set up a Service Account (a special type of unattended account in Active Directory) with the right permissions.
2. Ensure your C# Services are set up to run as this service account user .

Keep in mind, this is purely for unattended services. If you want a Windows Forms application to impersonate a service account, you're going to have to include the username/password either in the application itself (for instance, in a connection string), or you're going to have to include it in the executable shortcut link.

In either case, it will be visible to the end user (unless of course you encrypt it in the connection string case). But a determined end-user will be able to decrypt it.