为什么在WSE配置中不要选择Establish Secure Session

该篇文章是我于2009年6月10日通过自己编写的工具，批量从位于在博客园的博客站点(http://chenxizhang.cnblogs.com)同步而来。文章中的图片地址仍然是链接到博客园的。特此说明！

陈希章

原文地址：http://www.cnblogs.com/chenxizhang/archive/2008/07/29/1255865.html
原文标题：为什么在WSE配置中不要选择Establish Secure Session
原文发表：2008/7/29 11:58:00

在配置WSE 3.0的时候，我们都会建议有一个选项（Establish Secure Session）不要选择。事实上，如果你选择了，在调用的时候就会出现问题。但对于该选项为什么不要选择，却没有太多资料给我们介绍。下面找到了一些相关的介绍

http://www.c-sharpcorner.com/UploadFile/john_charles/TherealizationofWS-Securityrelatedspecifications09162006125007PM/TherealizationofWS-Securityrelatedspecifications.aspx

Now we're going to see why we cleared the Establish a Secure Session checkbox.

There are times when secure conversation and Kerberos can enter in conflicts. WSE 3.0 tries to acquire a Security Content Token (SCT) from the service to establish a secure conversation. The Request Security Context (RST) message sent from the client to acquire the SCT uses a KerberosToken to protect the message so that only the service can decrypt the message. By default, WSE 3.0 generates stateful SCT which means that the state of the SCT is carried with the SCT itself in the message. This state contains the server's KerberosToken inside of it. Since Kerberos Tokens can only ever be used once, using this stateful SCT doesn't work. This is because every time the client makes a request to the service, it protects the message with that SCT, which carries the state with it.

There are two options to figure this out:

• Don't establish a Secure Session. 
• Establish a Secure Session and set statefulSecurityContextToken to false in the service configuration

作者：陈希章
出处：http://blog.csdn.net/chen_xizhang
本文版权归作者所有，欢迎转载，但未经作者同意必须保留此段声明，且在文章页面明显位置给出原文连接，否则保留追究法律责任的权利。