Thanks for your reply. I'm not sure if I fully understand it as I'm still not getting it to work properly. This is what I've done and perhaps you could point out where I've gone wrong:
1. In the services config I added a <servicePrincipalName> element, e.g. from previous example:
2. At this point I wasn't sure what to set the value attribute to. I used setspn.exe to try to register a new SPN, without success! I tried:
(a) setspn -A myspn myserver (for myspn I just used the name of my service)
(b) setspn -A myspn/clientPCname mydomain\myusername (as I would be running the service for the moment)
Both of these resulted in a "Failed to assign SPN on account..." error. As a test, though, I listed the SPNs for the host I was testing the client on and used one of these as the value in the server config. After I regenerated the client config this worked on the client PC whatever username I was logged on as. Of course it didn't work from another PC that didn't have the same SPN registered.
What I'm not sure about is:
1. Should I be registering the same SPN with all the client machines with I want to use, as I could only add one <servicePrincipalNamevalue=""/> to the server config?
2. Was I running setspn incorrectly or is this a priviledge issue (I've got local admin on the machine I was trying the register the SPN on)?
Something I'd noticed earlier was that if I removed the <identity> element from the client config (when it wasn't set in the server config) this worked fine if the client and server where on the same PC, but not if they were on different PCs. However, if in the client config I use the IP address of the server machine instead of it's network name (in the address attribute of the endpoint element) and remove the identity element, I can call the server from any PC with any logon! What's going on here? Does this mean authentication is being bypassed?