This may be what is happening.
You login to windows and run your client, i.e. your client is running "under a user/password". The client communicates to the service running on a host system. The NTLM handshaking goes something like this: Client tries to connect, host returns "fail, let's try NTLM, here is a string, hash it and return it'. The client send the string off to windows which uses the current user to look up a password and then uses the password to hash the string. The client then sends back the user name, the string, the hash. The service host then send the user name and the string off to its OS which then uses the user name to look up a password on the host, and hash the string. The service then compares the hash from the client with the hash from the Host OS ... and if they match says "OK, here use this session id and from now on and I will accept calls from you if they contain this session id."
I have found that if am using separate machines to host the client and the service things go just fine as long as both machines have an account with the same username/password.
I have found this behavior to be common among QMSAPI, Desktop and the OCX.