custom X509CertificateValidator not triggering if client cert not represented in server's trusted certs

I have a custom X509CertificateValidator configured in a WCF service. When a client connects to the service, and the server has the client's certificated as a trusted certificate, my custom X509CertificateValidator is invoked. In the custom validtor, it will validate the cert.

However, if the client tries to authenticate with a cert that the server does not trust, my custom validator is not invoked, and access is denied. Does something else execute before my custom validator that checks the certificate?

  1. I want my validator to be invoked, even if the serer has not seen the certificate before.
  2. If an exception is thrown from my custom validator, or if my validator is not called (presumbably because the client cert is not trusted), the client gets an exception indicating "The HTTP request was forbidden with client authentication scheme 'Anonymous'."} System.Exception {System.ServiceModel.Security.MessageSecurityException}". But, I'm not doing anonymous authentication. Why is this?

web.config:

<binding name="certBasicHttpBindingConfig" allowCookies="true" maxReceivedMessageSize="2147483647" maxBufferPoolSize="2147483647">
    <security mode="Transport">
        <transport clientCredentialType="Certificate" />
    </security>
</binding>


<behavior name="ClientCertAuthBehavior">    
  <serviceMetadata httpGetEnabled="True" httpsGetEnabled="True" />
  <serviceDebug includeExceptionDetailInFaults="true" />
  <serviceCredentials>
    <clientCertificate>
      <authentication certificateValidationMode="Custom" customCertificateValidatorType="MyApp.WebServices.CertificateValidators.MyClientCertificateValidatorWithAuditing, MyApp.WebServices" />
    </clientCertificate>
  </serviceCredentials>

</behavior>