I have a WCF application hosted on IIS 6 that needs to Have 2-way SSL authentication Validate client certificate content with some client host information Validate client certificate is issued by the valid subCA. I was able to do 1) successfully. I am trying to achieve 2) and 3) by following this - basically creating a class that inherits X509CertificateValidator and overriding the Validate method with my own validation implementation(step 2 and 3). I followed the MSDN instructions exactly however, it seem that the Validate method is not being called. I purposely throw a SecurityAccessDeniedException in the overidden Validate method and no exception is thrown when I tried to access the service via my browser. I can still access my website with any client certificate. I also read this thread but it didn't really help. Any help would be greatly appreciated! Here's my configuration: <system.serviceModel> <services> <service behaviorConfiguration="SimpleServiceBehavior" name="SampleNameSpace.SampleClass"> <endpoint address="" binding="basicHttpBinding" bindingConfiguration="NewBinding0" contract="SampleNameSpace.ISampleClass" /> </service> </services> <behaviors> <serviceBehaviors> <behavior name="SimpleServiceBehavior"> <serviceMetadata httpsGetEnabled="true" policyVersion="Default" /> <serviceCredentials> <clientCertificate> <authentication certificateValidationMode="Custom" customCertificateValidatorType="SampleNameSpace.MyX509CertificateValidator, SampleAssembly"/> </clientCertificate> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> <bindings> <basicHttpBinding> <binding name="NewBinding0"> <security mode="Transport"> <transport clientCredentialType="Certificate" /> </security> </binding> </basicHttpBinding> </bindings>