ActiveSync support code 0x80072F17

[chicagotech]

Hi There,
I have SBS2003 standard edition with Exchange sp2 installed. I have a user
with a pda running Windows Mobile V 5.0. The pda successfully synchs via a
cable with a desktop pc but fails with error 0x80072F17 when attempting to
synch with the server, either via a cable over the LAN or via the phone
network.

I understand that this error is certificate related so I have disabled ssl
on the pda & Require Secure Channel (ssl) is disabled on
IIS\server\websites\default website\Microsoft-Server-ActiveSynch Directory
Security Secure Communications.
Now when the pda attemptes to synch I continually get prompted for the
username or password.
What is my next step?
Scott



--------------------------------------------------------------------------------

Hi Scott,

Thank you for posting in SBS newsgroup.

From your post, my understanding on this issue is: You cannot sync PPC with
Exchange mailbox by ActiveSync with the following error:

'attention required', status 'Synchronization could not be completed. try
again later'. Support code: 0x80072F17.

If I'm off base, please feel free to let me know.

Based on my knowledge, the error 0x80072F17 is translated as
ERROR_INTERNET_SEC_CERT_ERRORS, which means the certificate installed in
Exchange Server for ActiveSync access is not trusted by Pocket PC.

The article below lists known third-party Secure Sockets Layer (SSL)
certificates from trusted root certification authorities that have a root
store presence in Windows Mobile Powered devices like Windows Mobile
5.0/2003.

3rd party certificates compatible with Windows Mobile devices
http://blogs.msdn.com/jasonlan/archi...14/550747.aspx

Basically they are certificates from Certificate Authority (CA):
CyberTrust, Entrust.net, Geotrust, GlobalSign, GoDaddy, Thawte and
Verisign. If you issue your own certificate for ActiveSync access or use
third party certificate other than these CA. You will encounter error
0x80072F17 during ActiveSync access. A good example is as below:

You can use this PPC to access OMA by https://Exchange_FQDN/OMA. If the
certificate is not trusted in your PPC, you will encountered a Security
Alert including sentence as below:

"This security certificate was issued by a company that you have not chosen
to trust"

When you click Yes, you can continue accessing mailbox by OMA.

Although you can dismiss the Security Alert and still access mailbox by
OMA, there isn't such configuration for you to dismiss Security Alert
during ActiveSync access. So considering current situation, you can simply
disable SSL in Microsoft-Server-ActiveSync virtual directory in IIS console
of Exchange Server or follow the steps below to import certificate into PPC.

Step 1: Export certificate from Server.

1. Start MMC on the Exchange server.
2. Please add "Certificates" Snap-in and associate to "Local Computer"
account
3. In the "Personal\Certificates" or "Trusted Root Certification
Authorities\Certificates container", please double click to open the
certificate you used for ActiveSync.
4. In the Details tab, please right click the certificate, click All Tasks
to export your root certificate to DER type certificate with a *.cer file.

Step 2: Copying the Certificate File to the Device

1. Log on to a client computer that has ActiveSync 4.1 installed.
2. Copy the certificate you exported in Step 1 to this workstation.
3. Navigate to Mobile Device under My Computer. By default, the contents of
the My Documents folder on the device are displayed.
4. Right-click the content area and click Paste to copy the certificate
file to the device.

Step 3: Installing the Certificate on the Device

1. On the Windows Mobile device, open File Explorer (for Pocket PCs) or
File Manager (for Smartphones).

Note: File Explorer is present at Start\Programs on Pocket PCs.

2. Find the certificate file you just copied to the My Documents folder on
the device and run the file by either tapping the file name or pressing
ENTER while the file is selected.

3. Click Yes on the confirmation message box to install the certificate. If
you receive no error messages, the certificate is installed successfully.
If you receive an error and the certificate is not installed, you will need
to use an external utility to install the certificate on the device. To
install the certificate using this external utility, perform the following
steps:

a. On the client computer, download smartphoneaddcert.exe from the
following URL:
http://support.microsoft.com/?id=841060

If a signed version of smartphoneaddcert by your mobile operator is
available from this link, download the signed version.

Note: Although the Knowledge Base article, "841060," at the given link
refers to Windows Mobile 2003 and Windows Mobile 2002, the utility will
also work with Windows Mobile 5.0.

In addition, even though the file is named "smartphoneaddcert," it also
works with Pocket PCs.

b. Run smartphoneaddcert.exe and extract SpAddCert.exe.
c. Copy SpAddCert.exe to the device.
d. On the device, create a folder named "Storage" on the root of the device
and copy the certificate file into the Storage folder.
e. On the device, run SpAddCert.exe. By default, the certificates in the
Storage folder of the device are listed. Select the certificate you just
copied and click OK on all message boxes that get displayed, to install the
certificate.

More info here:

Deploying Windows Mobile 5.0 with Windows Small Business Server 2003 (Page
14: Step 4 - Deploying an SSL Certificate)
http://www.microsoft.com/downloads/d...d72-1e5a-4128-
a30c-dafeeb43544d

Thanks for your time and I look forward to hearing from you.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

[chicagotech]

In most cases, this error is related to an unsupported digital certificate.

Case 1: The client enable SSL without installing certificate.

case 2:The client uses IP to access the email. The fix is unchecking SSL when setup email in Motorola Q.

Case 3: the exchange server is not using a real certificate, rather a self generated certificate.

[chicagotech]

Regarding this issue, there are a few things you can do.
1. Get a third party certificate which is already trusted by your mobile devices
2. Get a third party certificate which is already trusted by your mobile devices which is signed by an intermediate store which means you will have to still install the intermediate certificate on mobile devices
3. Use your own certificate, but import the root certificate into the root certificate store on all your mobile devices.

Also, when you enter your credentials in Activesync, make sure you put the netbios name of your domain, not the FQDN. I'm not sure if this is the case with all mobile devices, but when I connect my Palm Treo 700w to Exchange 2007 Server, if I put in the FQDN of my domain, it will give me an Active Sync error. But when I put in the NetBios name, it'll sync up just fine.