You’ve successfully published your Exchange 2016 services with Citrix NetScalers but noticed that when you run the Microsoft Remote Connectivity Analyzer’s Exchange ActiveSync test at https://testconnectivity.microsoft.com, it fails at the Validating certificate trust for Windows Mobile devices. test.
The Microsoft Connectivity Analyzer is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
Validating certificate trust for Windows Mobile devices.
Certificate trust validation failed.
The Microsoft Connectivity Analyzer is analyzing intermediate certificates sent by the remote server.
One or more intermediate certificates were missing or invalid.
One of the reasons why this error would be thrown when the test is ran against a NetScaler published ActiveSync service is if the certificate used for the load balancing virtual server is not linked to the intermediate issuing certificate and/or the intermediate certificate is not linked to the issuing root certificate. In the case of this example with the error message:
There's a missing intermediate certificate in the certificate chain. Subject = CN=QuoVadis Global SSL ICA G2, O=QuoVadis Limited, C=BM. For more information, see Knowledge Base Article 927465.
… the issue is caused by the certificate used for the load balancing server is not linked to the intermediate issuing certificate. To correct the issue, log onto the NetScaler appliance’s management console then navigate to Traffic Management > SSL > CA Certificate and ensure that the root and intermediate issuing certificates are installed. Then proceed and link the load balancing server certificate by navigating to Traffic Management > SSL > Server Certificate, click on the ellipsis beside the certificate and click on the Link option:
Ensure that the intermediate issuing certificate is displayed in the CA Certificate Name drop down box and then click OK:
Rerunning the ActiveSync test once this has been completed will clear the error: