We are not doing anything to authenticate, really. Simply turning on pass-through authentication to the virtual app hosting the web service made everything work, so we left it at that. Presumably the credentials get automatically forwarded by our service to CRM.
We are also not using the SDK, I've simply added the SOAP endpoint as a service reference to the c# app, and I'm using the OrganizationServiceClient.