I noticed you have not set the mode in <security>
in your netTcpCertificate config instead of what you probably want: <security mode="Message">
. By not setting the mode
attribute, WCF will use the default value of Transport
instead of Message
which is what you likely want for certificate credentials. It's possible that WCF is passing the Windows identity when the mode is set to transport but I haven't tried to verify it.
UPDATE:
Based on the comments below, you should make sure that the client config file endpoint>indentity>dns>value matches the name of server certificate CN=
value. This value needs to be MyAppServer based on what you entered.