The tough part of your requirement is when you say, “the systems have to operate by themselves in case of communications drop-outs, which we experience quite a bit.”

I don’t know the facilities well-enough to say whether this excludes the use of Windows’s authentication services or not.   Clearly, if it does not, then that is the approach that you want to take:   centralized management, with satisfactory means of operating in “off-line mode.”

Failing that, I would advocate the use of a cryptographically secure password-safe file which uses public-key cryptography ... and of course, a single Perl package whose sole responsibility is to know how to withdraw from that “safe” the strings that the application needs.   (In fact, I would build such a package anyway, in order to isolate the application from any future implementation changes.)   It goes without saying that you should use a strong, well-known, platform independent package here; not roll-your-own snake oil.

The central idea is that ... “the magic key is not in the source-code; merely the means for getting it.”   And those “means” only work properly wherever the application is actually installed.   If you don’t steal both pieces, you don’t have the magic key.   If you do steal them, you still can’t change them, so you can’t prevent the company, having detected your intrusion, from promptly and effectively locking you out again.   Furthermore, the company can re-issue keys (and can even issue different keys to different computers), and can easily change them from time to time, without touching the deployed source-code itself.   Conversely, they can change the deployed source-code whenever they need to, without disrupting the magic.