Working on my first real WCF service project I encountered problems with getting the client to connect to the host when running it on another computer and a different user. This was probably challenging only because of my inexperience with the technology and the overwhelming amount of documentation (but very little discussion) on the subject.
When you want to use Windows security with a netTcpBinding, you must first configure the client and the host to do so:
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
<message clientCredentialType="Windows" />
This was pretty trivial.
The magic lays behind the identity configuration of the client endpoint. I’m still not sure why this is required, but to get Windows authentication to work, you need to define a correct User Principal Name (UPN) or Service Princial Name (SPN).
So, if the host is running with user credentials, you should use its UPN:
<userPrincipalName value="email@example.com" />
And if the host is running as s service, define a SPN:
<servicePrincipalName value="Host/MYCOMPUTER" />
Host/<server> is the default SPN, but a domain administartor can also create a service specific one.
What I noticed when trying different configurations, was that if I leave the UPN/SPN value blank (or entered any value), the client will for some reason connect. This has to do something with the fact that as default Kerberos is used for the authentication, but if that fails NTLM takes over. So to make sure your settings are correct, try the following:
<endpoint behaviorConfiguration = "clientEndpointCredential">
<windows allowNtlm="false" />
Comprehensive guide to WCF security: http://www.codeplex.com/WCFSecurityGuide