Your suspicions are correct; you have to explicitly authenticate the user via a built-in .NET mechanism such as Forms Authentication or Windows Authentication for User.Identity
to be populated by the framework.
You didn't specify from where the requests are coming (web, windows app, windows service, etc), but this article provides nice overview of getting Forms Authentication set up with asmx.