• When a user/service authenticates to an RODC, a check is performed to see if the password is cached. If the password is cached, the RODC will authenticate the user account locally. If the user’s password is not cached, then the RODC forwards the authentication request to a writable Windows Server Domain Controller which in turn authenticates the account and passes the authenticated request back to the RODC. Once the user account is authenticated, the RODC makes another request for the replication of the user’s password in a unidirectional replication providing the account has been configured to allow replication. Thus, please check your credentials are cached correctly in credential manager/vault in Control Panel.
• In your case, if you want WCF to prioritize authentication requests of cached credentials to send it to RODC, you should configure the weight of the RODC higher than the other DCs for your site as authentication is managed by sites and services in an AD environment. As you said, it is an off-site where you have setup RODC for security reasons, then accordingly configure the respective sites and its related subnets in the Primary Domain Controller correctly for the authentication request priorities in that site to be redirected to the DC in that subnet/site accordingly. This might help you resolve your authentication redirection problem.
You can also do the following for prioritizing RODC for authentication in that site: -
Move the RODC to a new site in Active Sites & Services, then assign the subnets to that new site. Remember to create site links to link the new site to the others.
Set LdapSrvPriority to zero for the RDOC and increase to a higher value for the writable DCs. (HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LdapSrvPriority)
