We have an IIS 7 hosted site that requires client certificates (two-way ssl). Unfortunately, I don't have access to the trusted certificate store on the host machines, and so I was forced to write a custom http module to verify the certificates. My module never gets a chance to do the authentication, however, because IIS doesn't recognize the certificates and responds with a 403.7 error. How do I turn off client certificate validation, while still requiring clients to provide them?