In this article I described how to set up current smartphones for Active Sync with Exchange 2010. When setting up the Windows Mobile smartphones, I encountered a problem that can have unpleasant consequences for the administrator. I had set up my test environment as follows:
Computer EX1 is a Multi Role Exchange Server with the 3 roles Mailbox, Hub Transport and Client Access. The Active Directory and an Active Directory integrated company certification authority run on computer DC1. And Windows Mobile 6.1 and 6.5 seem to have a problem with the enterprise certificate authority. Although I was able to successfully install the root certification authority certificate on the test smartphone under Windows Mobile 6.1, I always received the error 0x80072f0d in Active Sync. This error indicates a problem with the certificate. According to the Error code table von Microsoft ist das Zertifikat des Servers ungültig. Auch der Internet Explorer auf dem Smartphone meldet mir beim Zugriff auf die OWA Webseite des Exchange Servers, dass zwar Name und Datum auf dem Zertifikat passen. Das Zertifikat aber von einer nicht vertrauenswürdigen Stammzertifizierungsstelle ausgestellt wurde. Ich dachte zunächst daran, dass Windows Mobile das Zertifikat als ungültig ansieht, da das Stammzertifizierungsstellen Zertifikat im Container „Zwischen“ auf dem Windows Mobile Gerät installiert wurde und nicht im Container „Stamm“. Aber auch das Installieren des Zertifikats im Container „Stamm“, as described here, returned the same error message.
After a bit of troubleshooting, I discovered that Windows Mobile 6 seems to have a problem if SHA512 or higher is selected as the hash algorithm when installing the certification authority. SHA1 is suggested here by default. However, I had selected SHA512. I had chosen SHA512 because SHA1 is a rather outdated method and is also considered to be cracked (source: Bruce Schneier's blog).
If SHA512 is now selected as the hash algorithm, all certificates issued by the root certification authority are signed with SHA512. This can no longer be changed after installation.
Apparently Windows Mobile 6 can't do anything with SHA512, and I couldn't find any information on the net about whether this is allowed or not. In my case at least, the root certification authority certificate was always declared invalid. Since the hash algorithm can no longer be changed after installing the root certification authority, I had to reinstall the entire role and select SHA1.
However, you cannot simply reinstall the company certification authority in productive environments, and in some environments this can become a major problem. Here is a little tip here is a migration guide.
So after I had reinstalled the root CA and selected SHA1, the rest was a piece of cake. Certificate on the Windows Mobile smartphone transfer and installed. Active Sync set up and it works straight away.