For some legacy issues, you app stack might use WSE to do the message level authentication. and if you have to run wse 2 in your asmx hosted on windows server 2008 R2. here could be some issues and solutions.
1. If you bind multi Binary kerberos token to the request and send to the server, you might be rejected even both of them are valid. like you put host to abc and abs.fullqualifiedname.com
solution: manually downgrade the wse 2 from 2.0.3 to 2.0.1. I found since 2.0.3, the request filter does not allow 1+ tokens
2. unable to extract username from the binary token passed from client.
solution: config the application pool to run on 32 bit mode. twick the code a little bit, to remove the session key extraction.
if always shows me the memroy access exception when it try to do the session key marshaling.
check the code in Microsoft.Web.Services2.Security.Tokens.Kerberos.LsaServerContext.LogonUser(byte inToken), you might just decompile the code ,chagne it and sign it back using your own key. and update the reference to your version of wse.dll