after reading a loooot of articles about security of wcf and impersonation of web applications we finally found out that the problem is caused by server and client does not have the same clock time. so we simply fixed the time on the client machine and the problem disappeared.