Problem
When i published my orchestration as a web service and called it i got the message "invalid security token". Upon investigation it is because the wizard produces a policy file which uses the KerberosToken rather than KerberosToken2. You can tell this be the namespace for the token:
KerberosToken = http://schemas.xmlsoap.org/ws/2003/12/kerberos/Kerberosv5ST
KerberosToken2 = http://schemas.xmlsoap.org/ws/2003/12/kerberos/Kerberosv5_AP_REQ
Work Around
In my solution i need to use KerberosToken2, and in the stuff i have done recently i have only managed to get the adapter to work with KerberosToken2. The work around i am using is to have my own custom policy file. In my msbuild script which builds my BizTalk application i ensure i do the following tasks in this order within the script:
a. Regenerate the published web services based on the WebServiceDescription file.
b. Replace the generated policy file with my custom one.
c. Export the application as an msi
By ensuring in my build script the above tasks are done in that order it means i can work around the fact that the wizard generates the wrong kind of token and i still have everything working in the same way it used to.