Wednesday, January 4, 2017

Microsoft Remote Connectivity Analyzer’s Exchange ActiveSync test fails at “Validating certificate trust for Windows Mobile devices.” when publishing Exchange 2016 services with Citrix NetScalers

Problem

You’ve successfully published your Exchange 2016 services with Citrix NetScalers but noticed that when you run the Microsoft Remote Connectivity Analyzer’s Exchange ActiveSync test at https://testconnectivity.microsoft.com, it fails at the Validating certificate trust for Windows Mobile devices. test.

image

The Microsoft Connectivity Analyzer is testing Exchange ActiveSync.

The Exchange ActiveSync test failed.

image

Validating certificate trust for Windows Mobile devices.

Certificate trust validation failed.

The Microsoft Connectivity Analyzer is analyzing intermediate certificates sent by the remote server.

One or more intermediate certificates were missing or invalid.

clip_image002

Additional Details

There's a missing intermediate certificate in the certificate chain. Subject = CN=QuoVadis Global SSL ICA G2, O=QuoVadis Limited, C=BM. For more information, see Knowledge Base Article 927465.

Elapsed Time: 1 ms.

image

Solution

One of the reasons why this error would be thrown when the test is ran against a NetScaler published ActiveSync service is if the certificate used for the load balancing virtual server is not linked to the intermediate issuing certificate and/or the intermediate certificate is not linked to the issuing root certificate.  In the case of this example with the error message:

There's a missing intermediate certificate in the certificate chain. Subject = CN=QuoVadis Global SSL ICA G2, O=QuoVadis Limited, C=BM. For more information, see Knowledge Base Article 927465.

… the issue is caused by the certificate used for the load balancing server is not linked to the intermediate issuing certificate.  To correct the issue, log onto the NetScaler appliance’s management console then navigate to Traffic Management > SSL > CA Certificate and ensure that the root and intermediate issuing certificates are installed.  Then proceed and link the load balancing server certificate by navigating to Traffic Management > SSL > Server Certificate, click on the ellipsis beside the certificate and click on the Link option:

image

Ensure that the intermediate issuing certificate is displayed in the CA Certificate Name drop down box and then click OK:

image

Rerunning the ActiveSync test once this has been completed will clear the error:

image

No comments: