If you use Windows authentication, you can grab the identity of the caller in your service code here:
This WindowsIdentity contains things like the ".Name" property, the ".Groups" property of all groups the user belongs to, and more.
If the WindowsIdentity should be NULL, then you don't really have Windows authentication happening.
Are you hosting your WCF service in IIS? Which version - IIS7 is the first one to support net.tcp binding.
What if you self-host your service in a console app - does Windows authentication work then? In that case, it would most likely be a IIS7 config issue of sorts.
I suspect this is because your service account is not trusted for delegation. It can therefore impersonate the caller for access to local resources, but not for calling out over TCP. Google "Trusted for delegation" for more info.