As you mentioend what happens is that WCF negotiates for a key. More details in here.
You have a few options:
- set negotiateServerCredential and establishSecurityContext to false (this would require the client to have the server certificate out of band)
- change to a different security mechanism (user name auth, or transport with SSL)
- stay with the current situation. Once the negotiation is established no more extra calls are made. They happen once per proxy generation.
There is no way to make the negotiation process shorter. It consists of several message exchanges since this is the WS-Trust protocol.