If you configure a WCF service to use Transport security, even if you explicitly set <transport clientCredentialType="None"/>, Thread.CurrentPrincipal is overwritten by WCF. This behavior is different than if you aren't using Transport security. i.e. you are using HTTP instead of HTTPS. Normally, this wouldn't be an issue, but, if you are running the service in a web application and have <serviceHostingEnvironment aspNetCompatibilityEnabled="true" /> you might be setting Thread.CurrentPrincipal manually. This can come in handy if you wanted to use a PrinicipalPermission such as the following to control access to a web method.
[PrincipalPermission(SecurityAction.Demand, Role = "Administrator")]