IT/Tech: Error 80072F06 while trying to synchronize Windows Phone 7.x or 8 with Exchange Server and Self Signed Certificate

Running Exchange Server and synchronizing it with your Windows Phone 7.x or Windows Phone 8.x is no problem if you are using an official, external IP and more important, a public and trusted SSL-Certificate. 

But what if you run your Exchange Server in a private, SOHO or SMB environment where such an SSL-Certificate isn't really proficient nor an external IP - other than something like your Cable-, DSL- or whatsoever Internet connection paired with DynDNS?

Well, it is "quite easy"! I am going to explain in short at the example of Exchange Server 2013 how to handle the issue:

  • You already setup the client access preliminaries, e.g. external addresses in your DynDNS, Firewall settings, internal and external DNS (if NAT traversal doesn't work).
  • In your Exchange server, all settings needed for external client access already made, e.g. external (DynDNS) Domain for OWA etc. is already setup.
The final step:
  1. Open https://yourexchangeclientsideurl/ecp and login 
  2. Click on 'servers' on the left navigation pane
  3. from the horizontal navigation, choose 'certificates' and than under select servers the server you use for client access.
  4. Now, click on the + symbol and create a NEW certificate.
    1. Choose "Create a self-signed certificate"
    2. The 'friendly' name can be whatever helps you to identify the certificate later on.
    3. Add the server(s) you want to apply the certificate to.
    4. You must add the external address to all needed Access forms
    5. You can add now additional domains - if you miss one that should be used in the certificate as well (which shouldn't be the case at this point however)
    6. Click finish.
  5. Now, on your Client Access Server, open the Certificate Manager (for your Local Computer)
    1. Go to Personal - Certificates
    2. Right click on the Certificate you use for your external (DynDNS) Address and click All Tasks - Export... on the context menu
      1. Don't export the private key - we don't need it for our purpose
      2. Choose DER encoded binary X.509 (.CER) as Certificate to be exported
      3. use a file name that helps you (again) to find the certificate, I personally recommend to store the certificate on a network location that is read-only accessible by all users within the Domain so that they can mail themselves the correct certificate. This does help you in reducing admin costs - and in terms of a private household, simplifies the attachment of further devices.
    3. Now, send yourself the certificate - of course you need to send it to a mail account that is accessible by your Windows Phone ;o)
  6. Open the Email on your mobile device and download the certificate and open it.
  7. Install the certificate
  8. Now, and if your Exchange environment was correctly installed, you can synchronize your mobile phone with your server.
  9. To verify if the phone got through to your account, open https://yourexchangeclientsideurl/owa and login.
    1. Go to Settings - Options and than on the left pane choose phone. Aside your potentially already connected Outlook client(s) you should find your phone here as well.

      Note: This will happen (long) before your phone decides to come from the 'Syncing...' notification to sync or error notification.
If, why-soever, there are problems, you can first try to verify if everything is fine with a mobile phone with Android or iOS. Both do not care about non-trusted SSL certificates and will connect if (Active-/)Exchange-Sync if everything else is correct. The iOS client is by the way, the ideal client to test since it is less in-stable than the Android client (at the time I write this).

Well, I hope this little explanation was helpful, let me know your thoughts.


Anonymous said...

what to do if I don't heave a servers tab on the left?

Attila Balázs said...
This comment has been removed by the author.
Attila Balázs said...
This comment has been removed by the author.
ischilling said...

Well, if there isn't a 'servers' entry on the left navigation pane I honestly have no clue.

Just for clarification - and to see if a idea crosses my mind: You did login to the ecp - so at least this didn't work and than, you do not see any servers in the navigation pane nor something else?

Would you mind to add a screenshot or better a short video of what you are doing?

It is not like I will guaranteed come up with an idea instantly, but it would help me to understand where you are and what the reason might be.

Attila Balázs said...

to clear my situation, first i got as error message the 80072F0D.
than I got to my mailserver installed the certificate and expoted it in PKCS format and installed on the WP 7,8.
Than came the lovely 80072F06, after readind your post I logged in to the Ecp but today were made some modifications to the mail server and it vont let me so I can't make screenshots.But it showd the same as loging in to mail and hitting options.
the diference between your post and my situasion is that our mailsrv is ver. 2010.
does that make any diference?
I'll contact my system administrator maybe they can help me get forward with de ecp.

Attila Balázs said...

hy, I can't browse for a screenshot, but here I posted a screenshot:
hope it will help

Attila Balázs said...

I posted 2 responses but they don't show.

Attila Balázs said...

I posted 2 responses but they wont show.

Anonymous said...

I posted a screenshot here

mahasiswa teladan said...

hi...Im student from Informatics engineering nice article,
thanks for sharing :)