In this article I described how to set up current smartphones for Active Sync with Exchange 2010. When setting up the Windows Mobile smartphones, I encountered a problem that can have unpleasant consequences for the administrator. I had set up my test environment as follows:
Computer EX1 is a Multi Role Exchange Server with the 3 roles Mailbox, Hub Transport and Client Access. The Active Directory and an Active Directory integrated company certification authority run on computer DC1. And Windows Mobile 6.1 and 6.5 seem to have a problem with the enterprise certificate authority. Although I was able to successfully install the root certification authority certificate on the test smartphone under Windows Mobile 6.1, I always received the error 0x80072f0d in Active Sync. This error indicates a problem with the certificate. According to the Error code table from Microsoft, the server's certificate is invalid. Internet Explorer on my smartphone also tells me that the name and date on the certificate match when I access the OWA website of the Exchange server. However, the certificate was issued by an untrusted root certification authority. I initially thought that Windows Mobile considered the certificate to be invalid because the root certification authority certificate was installed in the "intermediate" container on the Windows Mobile device and not in the "root" container. But also installing the certificate in the "root" container, as described here, returned the same error message.
After a bit of troubleshooting, I discovered that Windows Mobile 6 seems to have a problem if SHA512 or higher is selected as the hash algorithm when installing the certification authority. SHA1 is suggested here by default. However, I had selected SHA512. I had chosen SHA512 because SHA1 is a rather outdated method and is also considered to be cracked (source: Bruce Schneier's blog).
If SHA512 is now selected as the hash algorithm, all certificates issued by the root certification authority are signed with SHA512. This can no longer be changed after installation.
Apparently Windows Mobile 6 can't do anything with SHA512, and I couldn't find any information on the net about whether this is allowed or not. In my case at least, the root certification authority certificate was always declared invalid. Since the hash algorithm can no longer be changed after installing the root certification authority, I had to reinstall the entire role and select SHA1.
However, you cannot simply reinstall the company certification authority in productive environments, and in some environments this can become a major problem. Here is a little tip here is a migration guide.
So after I had reinstalled the root CA and selected SHA1, the rest was a piece of cake. Certificate on the Windows Mobile smartphone transfer and installed. Active Sync set up and it works straight away.
1 thought on “Windows Mobile 6: Stammzertifizierungsstellenzertifikat ungültig (0x80072f0d)”