When I set mine up, the way the process ran the AD machine account was the most reliable authenticator.
You could add a credential from one box to another, workgroup style...
If you have a domain CA things get a little more complicated...
Every machine behaves like a standalone domain (when not joined) so the same method should apply.
Erik