Link to home
Start Free TrialLog in
Avatar of AA-in-CA
AA-in-CA

asked on

MS RCA fails against Exchange 2010: "One or more intermediate certificates were missing or invalid."

We're trying to set up ActiveSync for one of our customers running Exchange 2010, and it's failing the Remote Connectivity Analyzer diagnostic for "Exchange ActiveSync" at the certificate trust validation step:

"There's a missing intermediate certificate in the certificate chain. Subject = CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB. For more information, see Knowledge Base Article 927465. "

I've consulted the KB article it cites, which advises me to make sure all of the intermediate certificates are installed, and verify that nothing is expired.  I went to our cert vendor, obtained the intermediate certs, and reinstalled them.  Verified nothing was expired, and restarted IIS.  Diag still failed.  Rebooted the server to be safe, diag still fails.

Went to another customer that has working ActiveSync and an identical setup.  Verified that the "Exchange Activesync" MS RCA diag passes successfully for them.  Used the Certificates MMC snapin to verify that both their server and the problem customer's server possess the exact same intermediate and root certs.  I looked at "Trusted Root Certification Authorities"\"Certificates", "Intermediate Certification Authorities"\"Certificates", and "Third-Party Root Certification Authorities"\"Certificates, and everything is the same.  I opened and checked the certification path for each certificate in the problem customer's environment, and no errors were noted.  Reverified that nothing in any of those areas, or the "Personal" store, is expired yet.

What could be going on here?  I feel like I'm probably missing something very obvious or minor, but I can't think of anything else to try at this point.
Avatar of Hani M .S. Al-habshi
Hani M .S. Al-habshi
Flag of Yemen image

Get-ExchangeCertificate | fl Issuer,CertificateDomains
Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri
Get-OabVirtualDirectory |  fl Server,Identity,internalurl,externalurl
Get-WebServicesVirtualDirectory | fl Server,Identity,internalurl,externalurl

Open in new window

Avatar of AA-in-CA
AA-in-CA

ASKER

If internalURL and externalURL don't match, would this cause the Remote Connectivity Analyzer error I saw?

Our internalurl is https://servername.internaldomain.local/Microsoft-Server-Activesync
Our externalurl is https://mail.externaldomain.com/Microsoft-Server-Activesync
internalurl is https://servername.domain.local/Microsoft-Server-Activesync
 externalurl is https://mail.domain.com/Microsoft-Server-Activesync

mail.domain.com host A record in your public DNS should point to exchange server public IP
mail.domain.com host A record in your Local DNS should point to exchange server local IP
Yes those parts both match, and our DNS is correct.
Get-ExchangeCertificate | fl Issuer,CertificateDomains
Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri
Get-OabVirtualDirectory |  fl Server,Identity,internalurl,externalurl
Get-WebServicesVirtualDirectory | fl Server,Identity,internalurl,externalurl

Open in new window


check all these also
You need a separate zone from local DNS  for your "domain.com" as "domain.com.local" i
The easy way to test this.

Use https://www.ssllabs.com/ssltest/index.html + fix your cert where no intermediate chain diagnostics occur.

Likely cause for this is using the cert file, rather than full chain file, in your SSL setup.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.