DB-level users are currently authorized on the primary shard server (as opposed to the config server with global/admin users). This has implications for targeted queries, as any targeted query with auth would require both the primary shard server and target shard server be available.
Further, when this case is encountered, the error messages can be quite confusing; either indicating that auth explicitly failed, or that a socket exception occurred (without mentioning the remote host):
Note this test was run after killing the primary shard server. Test environment is 2 shards with replication, where the targeted document lives on the non-primary shard.
We should probably note this caveat on the Shard Operation Types page until this is resolved.