I have a windows service that hosts a WCF service, and a webservice on a different machine acting as a client. I have the nettcpbinding set to Transport security using Windows authentication. Am I correct to assume that the windows user the webservice is running under must have permission to access the WCF service on the other machine? If the webservice is running under NetworkService, is it possible to use it or do i need to setup a new user for it to use?
See http://msdn.microsoft.com/en-us/library/ms684272(VS.85).aspx for good info on networkservice. What will happen is that your WCF client will attempt to authenticate as domain\computername$ to the machine hosting the service. I personally prefer to have a specific identity for auditing purposes.
Yes, you'll need to setup another user. Network service is a local user and will not exist on the WCF hosting machine. (Well it does, but it's got a different password and so is not shared)
You have a couple of choices - if both machines are in the domain you can run the web application pool as a domain user, or if you're in a workgroup you can create the same username/password combination on both machines and configure the web site to run under that account. In either case you need to assign the right privileges to the new account by issuing
aspnet_regiis -ga MachineName\AccountName
If you are in a domain and kerberos authentication then you will also need to setup an SPN for the new user account
setspn -A HTTP/webservername domain\customAccountName
setspn -A HTTP/webservername.fullyqualifieddomainname domain\customAccountName