IT/Tech: Error 80072F06 while trying to synchronize Windows Phone 7.x or 8 with Exchange Server and Self Signed Certificate

Running Exchange Server and synchronizing it with your Windows Phone 7.x or Windows Phone 8.x is no problem if you are using an official, external IP and more important, a public and trusted SSL-Certificate. 

But what if you run your Exchange Server in a private, SOHO or SMB environment where such an SSL-Certificate isn't really proficient nor an external IP - other than something like your Cable-, DSL- or whatsoever Internet connection paired with DynDNS?

Well, it is "quite easy"! I am going to explain in short at the example of Exchange Server 2013 how to handle the issue:

  • You already setup the client access preliminaries, e.g. external addresses in your DynDNS, Firewall settings, internal and external DNS (if NAT traversal doesn't work).
  • In your Exchange server, all settings needed for external client access already made, e.g. external (DynDNS) Domain for OWA etc. is already setup.
The final step:
  1. Open https://yourexchangeclientsideurl/ecp and login 
  2. Click on 'servers' on the left navigation pane
  3. from the horizontal navigation, choose 'certificates' and than under select servers the server you use for client access.
  4. Now, click on the + symbol and create a NEW certificate.
    1. Choose "Create a self-signed certificate"
    2. The 'friendly' name can be whatever helps you to identify the certificate later on.
    3. Add the server(s) you want to apply the certificate to.
    4. You must add the external address to all needed Access forms
    5. You can add now additional domains - if you miss one that should be used in the certificate as well (which shouldn't be the case at this point however)
    6. Click finish.
  5. Now, on your Client Access Server, open the Certificate Manager (for your Local Computer)
    1. Go to Personal - Certificates
    2. Right click on the Certificate you use for your external (DynDNS) Address and click All Tasks - Export... on the context menu
      1. Don't export the private key - we don't need it for our purpose
      2. Choose DER encoded binary X.509 (.CER) as Certificate to be exported
      3. use a file name that helps you (again) to find the certificate, I personally recommend to store the certificate on a network location that is read-only accessible by all users within the Domain so that they can mail themselves the correct certificate. This does help you in reducing admin costs - and in terms of a private household, simplifies the attachment of further devices.
    3. Now, send yourself the certificate - of course you need to send it to a mail account that is accessible by your Windows Phone ;o)
  6. Open the Email on your mobile device and download the certificate and open it.
  7. Install the certificate
  8. Now, and if your Exchange environment was correctly installed, you can synchronize your mobile phone with your server.
  9. To verify if the phone got through to your account, open https://yourexchangeclientsideurl/owa and login.
    1. Go to Settings - Options and than on the left pane choose phone. Aside your potentially already connected Outlook client(s) you should find your phone here as well.

      Note: This will happen (long) before your phone decides to come from the 'Syncing...' notification to sync or error notification.
If, why-soever, there are problems, you can first try to verify if everything is fine with a mobile phone with Android or iOS. Both do not care about non-trusted SSL certificates and will connect if (Active-/)Exchange-Sync if everything else is correct. The iOS client is by the way, the ideal client to test since it is less in-stable than the Android client (at the time I write this).

Well, I hope this little explanation was helpful, let me know your thoughts.