WSE2 : KerberosToken and WSE policies

I had a weird problem today with a computer in our development domain. We currently use encryption and signing for webservice calls with WSE2. We use a WSE policy to achieve this but today a collegue of mine got an error when he tried to run the code on his machine. The first thing was that the webservice wasn't running under the SYSTEM account. This account does not have enough priviledges to access the active directory information so it can't access the data for the kerberos token. This isn't a problem on Windows 2003 because .net webapplications run under a certain application pool.

But then we had a problem where the code didn't run while it should! It was a very frustrating thing and we got keeping exceptions that said the username was incorrect. So we triple checked everything and couldn't any problem. As a last resort I removed the computer from the domain and added it again and guess what. It worked afterwards.

So remove and add the machine to your domain if you are experiencing problems with kerberos token exceptions with WSE on one computer but not on another.

This isn't mentioned at the WSE FAQ or it's wiki. I will try to contribute to it this evening :-)