Adding Root Certificates for Exchange Activesync


How can I add root certs to my Windows Mobile 5.0 device?

 

In WM 5.0, the certchk tool no longer works for disabling SSL certificate verification on the Exchange ActiveSync connection. What are the options for secure connections to the server?

 – Buy a SSL certificate from a major vendor. You should be able to get one for < $100. If you do this, the connections will just work. Launchpad page to find a SSL cert vendor here.

– If you have management access to the device, you can add your self-signed cert to the ROOT store directly via rapiconfig, a CAB file, or the certinst.exe tool. This depends on the security configuration of the device. On a Pocket PC in the default configuration this will be possible, but on a default Smartphone, you cannot. In some cases you will need to add the intermediate certs as well. (details)

 – Some OEMs or mobile operators provide certificate installers for their platform.

If you can’t buy a cert that chains to a major root, you can’t manage the device, and there is no signed installer for your platform, there is not a good way to do this in WM 5. We have definitely gotten the message that a lot of customers find themselves in this situation and we feel your pain.

There is some more documentation and instructions around this process in the MSFP Deployment Guide.

edit: MSDN page about adding root certs here. The page also has a signed cert installer for Sprint and Verizon devices.

update 1/10: iMate provides a certificate installer application for the SP5 series of phones. Link here

update 3/8/06: Added link to MSDN page showing choices for where to buy root certs and which ones are supported on which OS versions.

update 4/4/06: Added link to creating a root cert CAB file inline. Linked forward to page about intermediate certs.

update 4/6/06: link to deployment guide


 

Comments (205)

  1. Ok, you feel our pain.

    For the smartphones it is as simple as releasing a trusted signed version of certinst.exe. In the past you helped manufacturers like HTC to create a trusted signed version of regedit.exe. Why not create the same for certinst.exe to relieve our pain?

  2. You forgot to mention that an extra root certificate is also required when enabling your device for 802.1x acces to wireless networks.

    Nobody I know of runs their (internal) RADIUS server with a public certificate.

  3. Chris Young says:

    How come you can’t specify a different certificate name like you can in Outlook (the msstd principle proxy setting)? The problem we are having is that our ISA server has one IP and we route several secure sites through it so we have a wildcard certificate on the frontend. Are there any work arounds for this implementation.

  4. scyost says:

    Raymond,

    The OEMs or Operators are free to deploy root cert install tools if they want to. The linked MSDN page contains sample code to write such a tool and also signed versions for Sprint and Verizon devices.

  5. Nick says:

    It doesn’t matter that the operators are free to do something. They won’t.

    The problem here is that there is no way for the owner of the device (the end user) to tell their phone to trust their server’s 3rd party certificate.

    How would you feel buying a new car that you could only put one brand of gas into. There might be cheaper gas, and your car company would be free to make an adapter for you, but you can bet that it would never happen, and you would not get the choice of what gas to use here.

    The USER needs to have the choice here.

    The security concept is certainly a good idea, but when it makes it IMPOSSIBLE to use your device, it is just unacceptable.

    Yes, I’m ranting. I have a godaddy cert on my exchanage server, and I cannot use my MPx220 device with it. I cannot update my phone as the software is locked, and the MS tool does not allow me to install software.

    This MUST be fixed.

  6. Amen Nick!

    What I find most concerning, is that I buy a simlock free phone to find out that it is software locked.

    In my case I managed to break down this so called ‘security feature’ and install my own certificate. But there was no sign on the phone as being software locked for me when I bought it.

    I’m not sure if it is up to Microsoft to force the OEM’s to deliver a trusted version of certinst.exe with their device when it’s supposed to be software unlocked.

    I expected an ‘open’ device when I bought it. It should be an end user option to thighten it’s security.

  7. scyost says:

    You’re right, wi-fi is the other major reason to need to add a root cert. We are very very aware of this problem. In the meantime, you need to make sure you buy devices that you can fully manage if you need this capability. Any device that has the grant_manager policy set to user_auth will work – that’s most PocketPCs and some Smartphones. I wish there were a master list so that you could make an informed decision – I will look into seeing if we can get that.

  8. rafaelc says:

    Hello, I purchased an i-mate sp5m, and I have this problem about the certicate, we don’t have a trusted certificate, can you explain how to use (in detail) the RAPICONFIG or the certinstall.exe tool? I tried but without success, the device is locked for adding 3rd party certificates.

  9. Thanks for the support Scott.

    There is definitely no list to make an informed decision when purchasing a WM5 device. Usually there is no way to return the device when you find out that is does not enable you to install your own certificates. In many cases this criples the usability of the device when the only way to connect to your WLAN is 802.1x based.

    Again. Why doesn’t Microsoft urge the OEM’s to create a trusted version of certinst.exe? Or am I wrong about the simplicity to create such an application?

    rafaelc

    Have a look at http://groups.google.nl/groups?hl=nl&q=%22Unlocking+Windows+Mobile+5+Smartphones%22 for the solution on your imate smartphone.

  10. scyost says:

    Adding those root certs is an administrative activity currently so it’s up to the manager of the device to delegate that to you. The manager of those phones is the operator (if it’s not the user). Verizon and Sprint already have signed the SPAddCert tool, but I can’t speak for the other operators. Signing a tool with a retail cert is a pretty big deal because it means it will run on all those devices, past and future, regardless of security policy, so it’s not something to be undertaken lightly.

  11. I understand that adding root certs is an administrative activity that should be restricted in a controlled environment.

    But my phone for example is an i-Mate SP5. iMate is not an operator, but a (small) company that sells HTC devices under its own name. iMate will NEVER ever administer my smartphone. I expect hardware support and software updates, but no administration. Why should iMate care if I want to add a certificate to MY phone? If Verizon and Sprint are able to release signed versions of the SPAddCert tool, what takes HTC/iMate so long to release their version? Did Microsoft help Verizon/Sprint and forgot about HTC? I am looking for the reasoning behind HTC’s not releasing their signed tool as of yet.

  12. scyost says:

    Okay, I understand the iMate situation better now, but I can’t speak for why they don’t have a tool. It’s not really appropriate for HTC to sign the tool because HTC’s certs are on all HTC devices so that code would run on all the HTC devices regardless of operator. I’ll see if we have an existing relationship with iMate and if we can get something to happen.

  13. Matt Peterson says:

    I’ve also got an iMate SP5. I’ve managed to unlock the software so I can add certs and I’ve added the wildcard cert that our organization uses, but activesync still fails with an "incorrect SSL certificate common name" error. This is infuriating. I bought this device specifically for the near-real-time sync with Exchange and that is apparently the only thing I *cant* do with it.

  14. Matt,

    Did you get Active Sync working before?

    What I get from your message, is that the certificate from your webserver does not contain the url you use for accessing in the subject field.

    You better open the certificate of the webserver and check if the contents of the subject field resembles the url you configured on your Windows mobile device.

  15. Matt Peterson says:

    My Windows Mobile 2003 device had the same problem, but I could get around it by disabling certificate checking the certchk.exe. Since that tool does not work with WM 2005 I am unable to get Active Sync working with my current device.

    The certificate from my web server is a wildcard certificate with a common-name that looks like "*.domain.com" while the actual name of the server is "servername.domain.com"

  16. Matt,

    Thanks for the info. Disable certificate checking is not an option on WM5 for the moment. Maybe Scott can shed some light on its future availability.

    To make it work now you need a certificate for the specific url you are using for mobile active sync. A wildcard certificate will definitely not work.

    HTH

  17. Hal Michael says:

    Adding a certificate on WM5 can be done. There are several "self help" posts on Hofo and Smartphonethoughts (Tips and Tricks forum) that can help. I did it this weekend with an existing FreeSSL certificate.

    This is, however, a real PITA in that you must first "application" unlock the phone. In a business enterprise this may raise more questions than it answers.

  18. scyost says:

    w.r.t. wildcard certs and adding root certificates to locked devices, all I can say is that there’s no wildcard cert support in the platform currently, and there’s not a good way to add a root cert to a locked-down device without a priv-signed app. I can’t discuss future product features right now except to say that we are aware of both of these issues and the problems that they cause for some customers.

  19. Matt Peterson says:

    I know that certchk just set a registry key value to disable certificate checking. I also know that the setting that same key on WM2005 has no effect. Is it entirely impossible to do the equivalent with WM2005 or is Microsoft just unwilling to share the method for doing so?

  20. scyost says:

    Disabling SSL verification for exchange isn’t possible on WM2005 that I know of. If there were a easy way like certchk to share with you I would have definitely already done that.

  21. Jacob says:

    Hi there,

    Im having the same issues. I even bougt a ssl certificate from Verisign because i hoped that i would solve my problem. Now on a regular pc with windows xp i do not get that annoying security pop up anymore when logging into our company webmail server. I still have the problem on both my qtek 8310 (wm 5.0) and qtek 2020i (wm2003)though. Is Verisign not a major root authority accepted by windows mobile? With som reg hacks i managed to get the certificat from my exchange server imported to the smartphone so that i now appeares under trusted root certificates but i still cannot connect with active sync. the server i am trying to access is https://aal.gatehouse.dk/exchange . That dns name actually points to an isa2004 server that redirects the request to an internal exchange server named exchange-gh.

    Its really frustrating not being able to get this to work. Any suggestions?

    Jacob

  22. scyost says:

    Hi Jacob,

    I’m not sure why your connection isn’t working. We do have the Verisign Class 3 CA that signed your cert in the root store – you can see it yourself in the Certificates control panel. I actually couldn’t get your cert to validate in Firefox either, and Firefox also has the same root cert installed. Sorry I can’t be of more help – that area isn’t one I work directly on.

  23. E Scotten says:

    Holy Crap! Just recieved a dozen HP HW6515 from Cingular. All locked and unable to install certificates for use by ActiveSync / Exchange.

    I just spent 2 hours on the phone with "top tier" Cingular support and they aren’t even aware that their company is causeing the problem. They actually refered me to HP!

  24. Dave Lee says:

    Is a new method for disabling certificate checking on the horizon? or support for wild card certs? We have invested heavily in our web infrastructure and wild-card certificates…. This has created big issues for us as we now have 50 SPV C600 phones we cant use properly.

  25. scyost says:

    Wait, the HW6515 is a WM2003 PPC device. Why can’t you add certs to it? Does certinst not work?

  26. scyost says:

    We have done some investigation into how many of our customers need wildcard cert support. It’s in the bucket of features under consideration for the future but it’s not yet slated for a particular release that I know of.

  27. adebilloez says:

    And what’s about client certificate it’s a pitty even on PPC. We still need a tools like this one :

    http://www.jacco2.dds.nl/networking/crtimprt.html

  28. Timoftheblues says:

    I’ve just added a root cert no problem. I copied the cert to the device using Active Sync Explorer, then on the device located it, clicked on it and it installed it no problem.

    Hope that helps someone.

    Tim

  29. MisterWembley says:

    I was able to add my own certificate to my WM5 Smartphone (Audiovox SMT5600) by doing the following:

    Change the value of following registry entry on the device:

    HKLMSecurityPoliciesPolicies0001017

    from 128 to 144.

    Restart the device.

    Export the desired certificate as a binary encoded (DER) certificate (.cer).

    Copy the .cer file to the device.

    Open the .cer file on the device via file explorer.

  30. i have bought the QTEK 8310.

    I spend 2 hours for sync to exchange, contacting our admin and take also time form him.

    Its realy a shame.

    Microsoft can tell what they want, its your product, its your marketing and it doenst work.

    It’s in generaly user unfriendly in worst case and in detail completley unnecassary.

    It still doenst work.

    :-((((

  31. Brian says:

    I did the same thing; exported the root and intermediate certs (for instantssl, in this case) and just copied and clicked.

    I’m a little puzzled at some of the responses from the MSFT poster, though. Did you guys just forget that it’s this easy? Or does it work by mistake?

  32. Pace says:

    Oh Great!

    So I buy a wm2003 which was a nightmare to get working… you read of Ex SP2 an WM2005 an you think ok great ill just do that and now we just get more excuses yet again…

    Im on the dev network guys and I think MS is great as a whole, the mobile department make a lot of false promises though! I really think you should speak to your marketing guys becuase you have a lot of customers extremely unhappy over the exchange issues.

    There is hardly anything of any substance on the matter on the web also which makes me wonder.

    Get it sorted guys, we dont want excuses we want some hard answers and "HOW TO’s"

    Proper ones though where you dont have to be a MVP in winCE etc to understand!

    come on guys MS are the best at listening and helping customers so why are you letting it slip now?

  33. scyost says:

    Brian: Like I said, "This depends on the security configuration of the device. On a Pocket PC in the default configuration this will be possible, but on a default Smartphone, you cannot." It’s not as easy on a device that is deployed in a more restrictive configuration.

  34. scyost says:

    Pace:

    It would help if you could be more clear about what exchange problems and false promises and lack of information exactly is a problem for you. If it’s specifically that you can’t add root certificates to a restricted device, then I’m sorry that I don’t have any more information than what’s on this page. If there’s something else, maybe I can point you to a resource.

  35. Will Cheng says:

    Hi All,

    Can I get some opinion re. this post: http://www.modaco.com/index.php?showtopic=231066&st=0&p=702622&#entry702622

    As you’ll see I’ve followed the steps in it but I’m not able to get my third party certificate to install on my MDA Vario.

    Thanks,

    Will

  36. Reed Robison says:

    There is a patch for the HP6515 which is a 2003SE device out on HPs support newsgroups. I tested it on a 6515 here and it worked. Note- this is unrelated to the WM5 questions around security changes on that platform.

    http://forums1.itrc.hp.com/service/forums/bizsupport/questionanswer.do?threadId=983508&prodTypeId=215348&prodSeriesId=501209

  37. Stu says:

    Ok Im getting somewhere with my SP5 after reading this page and having the same problems as everyone.

    I have an Imate SP5 with WM5 an also an E2k3 SP2 server.

    I can get my Mobile outlook to sync fine without SSL so thats rules out any activesync issues.

    When I try to sync I get the following support code error. 0x80072F0FD

    Ive successfully used the SP5 tool at the top of this page to install my certificate and it successfully installs, furthermore I can see the certificate installed in the root of my certificate store. Issued to mail.my-domain.com Issued By: Equifax Secure Global.

    Ive changed HKLMSecurityPoliciesPolicies0001017 from 128 to 144. But I find this resets itself on a reboot.

    Now the interesting bit, when I try to get to OMA on http://mail.my-domain.com/oma I get the prompt, this certificate is incorrect, invalid etc, the usual warning. I do not receive this in XP IE6 or Firefox so again ive ruled out a certificate issue.

    One thing I did notice however….when you accept this warning you get to the login screen where interestingly it says

    Site : mail.xxxxxx-
    Realm: mail.xxxxxx-xxxx (runs off the screen)

    Im wondering if there is a bug in Mobile IE or the underlying HTTP drivers which cuts short the domain name and is causing this mismatch in Certificate Issued to: and Site: and causing the prompt and therefore causing the error message with Activesync which cannot handle certificate prompts??

    Can someone else test this theory out to see if they get similar

    Can someone from MSFT comment on their thoughts on this. I am willing try suggestions, tools, patches etc.

  38. scyost says:

    Hi Stu,

    I would need to see the site / certificate to really investigate your problem. If youd’ like tto e-mail it to me I can try to take a look.

  39. Just want to thank Scott he resolved the issue for me. The problem was occuring for me because I was taking the certificate which came from OWA and installing that one my WM5 device. This certificate is a child (mail.my-domain.com) of a a root certificate (Equifax Secure Global eBusiness). This can be ascertained by going into properties of the issued certificate and going to Certification Path. From highlight the root and View Certificate, now export this one and install it on the device aswell. This resolved my issues.

    Thanks again Scott

  40. gdusenberry says:

    hmmm…

    I have a self certified Exchange server. I exported the server’s cert (from MMC Certificates) and copied it to my i-mate K-JAM. The imate accepted it, added to the root certificates list, yet STILL doesn’t recognize the cert as valid. From IE on i-mate, the cert still throws a "The certificate was issued by a company you have not chosen to trust" WHY? I mean the cert DOES show up in the trusted ROOT certificate section…

  41. gdusenberry says:

    hmmm…

    I have a self certified Exchange server. I exported the server’s cert (from MMC Certificates) and copied it to my i-mate K-JAM. The imate accepted it, added to the root certificates list, yet STILL doesn’t recognize the cert as valid. From IE on i-mate, the cert still throws a "The certificate was issued by a company you have not chosen to trust" WHY? I mean the cert DOES show up in the trusted ROOT certificate section…

    If the problem can’t be fixed quickly, how about list of accepted SSL providers?

  42. Jacob says:

    I finally resolved my activesync/exchange problems the other day by using a free ssl certificate from here:

    http://cert.startcom.org/

    Use this guide

    Before that i even bought an expensive Verisign cert but i still could not get it working.

    Hope this can help others out there.

    Jacob

  43. k54me87 says:

    Scott,

    You mention the MSDN article about installing a root certificate onto your Windows Mobile device. You also mention the Verizon signed certificate install tool. Unfortunately, the MSDN doc only describes the process for Windows Mobile 2002 and 2003 devices, there is no mention of WM5. In WM5 where do I put the install tool and where does my CAs certificate need to be? I put both of them on the phone(treo 700w) and ran the cert intall tool, but it says that it cannot find the cert…the cert is in the same folder. I’ve also tried putting the cert on the root of the phones file system…with no luck.

    Hope you can provide some insight here.

    TIA

  44. Rohan Schloithe says:

    How about getting p12 (Personal Information Exchange) certificates to work on WM5?  Is there a tool that can convert these into a format that WM5 understands?

  45. scyost says:

    Hi Rohan,

    Do you mean PFX files? You can use the above method – open them up in explorer and then export to a .CER file and proceed. If you’re writing code for the device you can also use the PFXImportCertStore API in CAPI to do it.

  46. Bill says:

    Has anyone had this same issue with the Cingular 2125 (HTC Faraday).  Also runs into "invalid certification" when trying to sync with Exchange Server.

    All help appreciated.

  47. Ken says:

    I already have a purchased SSL certificate on my Exchange server to support all my other activities (OWA, RPC/HTTP etc…)  I need another certificate and I have to load a copy on each WM phone?

    K-

  48. Marshall says:

    OK.  Got my Dopod 818pro to import the Startcom CA & sub-CA certs which I use on my Exchange server and now EAS with SSL is working quite nicely. (Using the reg key method)

    However, when I tried to import my personal cert (also by Startcom) via changing the reg key to 144, my email/ID certs gets imported into the root cert store.  Any way around this?

    I know the outlook client on the WM5 does not support email signing but I was hoping to authenticate myself to certain websites via my personal cert……

  49. scyost says:

    I’m not sure what method you are using to import the cert – are you just clicking them? The certificate installer in the platform will install to the ROOT store. If you want to install to the MY store, you can do that via XML. See instructions at http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspx. Just change ROOT in the XML to MY. You also don’t need to change any security policies to add certificates to the MY store. It is allowed by default.

  50. Er, will that really work, Scott? What use is a personal certificate without the corresponding private key? Or can you also add a private key to the MY store with XML provisioning?

    Marshall and Rohan wanted to import a personal certificate from a PKCS#12 file. Sure, you can use the PFXImportCertStore API in CAPI to do it. But then they would have to write their own program and that program would only run on Windows Mobile 5.0.

    My program P12imprt can import a PKCS#12 file and runs on both Pocket PC 2003 and Window Mobile 5.0. Check out the link above.

  51. scyost says:

    Jacco is right – I was focusing on just the certificate store aspect. You cannot add the associated private keys through the Certificate CSP. You’ll need to write code or use some other tool to import a certificate for client auth.

  52. Kappie says:

    Scott – I have managed to export the root certificate from my Exchange server and install it on my Verizon WM5 device (using the signed Verizon utility linked above — even though it does not say it works with WM5). When I go into Start_Settings_System_Certificates, the root certificate I added is there on the device. But when I try to sync, I still get the message "The security certificate on the server is Invalid. Contact your administrator… Support Code 80072f0d". Any ideas? The certificate is an Equifax Secure Certificate.

    Thanks!

    Kappie

  53. Loren says:

    Working on a T-Mobile "MDA" WM5 phone here. I was able to export the GeoTrust (Equifax reseller) cert from IIS and import it on the phone. It now shows in the root CA list on the phone, but I still get the "The security certificate on the server is invalid" message when syncing (support code 0x80072F0D), same as the previous poster. Sure would be nice if we could get a fix/workaround for this ASAP, since the certchk tool is now disabled (should use of this tool be a corporate decision, anyway??)

  54. Mario says:

    I have been trying to sync with our corporate Exchange 2003 SP2 server via wireless Activesync for a couple of months, and after a visit to my company IT Dept, we have narrowed it town to a certificate issue. I could really use an experts help, PLEASE! Here are some facts:

    1) Phone = PPC-6700, WM5.0 on Sprint

    2) My profile on the exchange server has me enabled to sync via OMA

    3) We tried temporarially disabling certificate checking on the server. With cert checking disabled I was able to sync sucessfully! But of course, the admin can’t leave this feature disabled due to potentially security issues. This leads me to belive I have a certificate issue

    4) With cert checking enabled as default on the server, when I attempt to sync, I get an error "Your account in Microsoft Exchange Server does not have permission to sync with your settings…"

    5) I have a Root Cert (generated by my company) and personal cert (also generated by my company) listed under certs on my phone

    6) I can access our OWA page with no problems on my phone via pocket internet explorer and I can access my account with no problems. It prompts me to select a cert below to log on with (standard stuff, just like on the laptop) and I can sign in no prob. This leads me to believe that my cert is valid since I can log on with OWA

    7) When I try to access https://companyname.com/oma, I get right in – it does not prompt me to select a cert, user name, or password. Just takes me right to my inbox.

    So what do you think is causing this problem? My IT guys are stumped. I read somewhere that this may be because my root cert is "home brewed" and not a verisign, etc.. One other thing to keep in mind – In order to get a personal cert installed, I had to export my cert as a .pfx and I used a program to convert it to a .cer. My IT guys said I absolutely had to use the pfx because it contained an encrypted key that was required to log into the server.

    Please help me on this one. I can’t wait to get my sync going! Thank you very much for your help.

  55. Phillip says:

    I have had similiar issues as mentioned by Mario and the others on this blog.  The fix I found that covers issues for Windows Mobile 2003 to 2005 is to have your certificate provider generate a new certificate. We use a third party provider that is not one of the big boys like Verisign.  It appears that the answer is to ensure that they issue the new ssl certificate from the GTE Root. If you dont have an ssl certificate generated this way then you will see issues like Mario mentions and the others with Windows Mobile 2005 and older versions. Anyhow this worked for us so I hope it helps ease the pain.  

  56. Mario says:

    Thank you very much for your reply, Philip.  I will go ahead and try this.  Any other ideas, guys?  Thanks!

  57. Loren says:

    I was able to get this working by downloading the root cert from GeoTrust that corresponded to our SSL cert and importing that into the root store on the phone. Importing/adding the *issued* SSL cert does not work (nor has it ever worked in my experience).

    FWIW, here is the GeoTrust page I used to get the root cert:

    http://geotrust.com/resources/root_certificates/index.asp

    I just looked for the one that matched the data on the cert we had installed on the Exchange server.

    Note that T-Mobile also told me to import/add the issued cert, instructions they claim came from MS, so clearly there is a lot of bad information flying around.

    Good luck-

    Loren

  58. scyost says:

    Right – you must add the ROOT certificate to the device. Any other intermediate certs, if needed, must be added to the CA store. See the other root certificate posts from me on the blog for more detail on those issues.

  59. Loren says:

    I get that…now. Again, it’s worth noting that I didn’t before, and the T-Mobile techs are passing out bad info, too.

    A post (or gee, instructions in the box) that says, "You must import the root cert from your provider to the device. This is not the same as the cert they’ve issued to you. Many cert providers make their root certs available for download on their web sites. Check there or contact your provider."

    I don’t see any reason that the included root cert store isn’t the same as on Xp, 2003, etc. This is a major headache that is avoidable. The GeoTrust root cert is all of 902 bytes.

  60. Diedcow says:

    Thanks to MisterWembley, It worked.

    # re: Adding Root Certificates for Exchange Activesync

    Thursday, December 15, 2005 11:19 AM by MisterWembley

    I was able to add my own certificate to my WM5 Smartphone (Audiovox SMT5600) by doing the following:

    Change the value of following registry entry on the device:

    HKLMSecurityPoliciesPolicies0001017

    from 128 to 144.

    Restart the device.

    Export the desired certificate as a binary encoded (DER) certificate (.cer).

    Copy the .cer file to the device.

    Open the .cer file on the device via file explorer.

  61. Tom says:

    Any ideas for the HTC Faraday (Cingular 2125). I tried a number of hacks, but nothing works. If the cert is untrusted by a root CA, it looks to be a bum deal for us.

  62. Loren says:

    "update 3/8/06: Added link to MSDN page showing choices for where to buy root certs and which ones are supported on which OS versions."

    That’s fine and dandy, but I can tell you that the QuickSSL certs I’ve gotten from GeoTrust are not issued from one of the few roots preinstalled on Windows Mobile 2003 or 5.0- in both cases the root cert must be added, or in the case of WM2k3, the certchk tool must be used to turn of cert checking.

    This page edit and the linked page (https://partner.microsoft.com/global/partner/40027352) will only cause more confusion, not less.

  63. scyost says:

    Hi Loren,

    I’ll update the page to be more clear about which roots are on the device for those CAs that use more than one root. If you have any other specific examples, please send them.

  64. Jim says:

    I have a pocket PC and can not access my OWA or some SSL sites..it is running windows mobile 5…my previous mobile 2002 SE worked just fine…what do I need to do to make mobile 5 work on a pocket pc to access

    OWA?

  65. Jay says:

    Hey Guys,

    I have the cingular 8125 and trying to sync with exchange 2003, we have a purchased ssl cert from Equifax which is not in the list. I opened IE and went to OWA and clicked on the lock and expored the cert on my desktop to the DER *.cer and installed it fine on my Cingular 8125 WM5 device but activesync still complains that its an invalid certificate. Any ideas or help please!!!!!!!

  66. Loren says:

    You need to get and import the root cert from Equfax, not the cert they issued to you: First lookup the root cert from which the cert you installed was issued, then download that root from Equifax and add it to the root store on the device.

  67. jasonh says:

    Thank you for this blog/forum. It has helped to understand the problems with EAS. I am very happy to say I have gotten my Qtek 8310 working perfectly with a 3rd Party cert that was not initially recognized by the phone. I guess this phone is supposed to be the same as a the Cingular 2125? and the i-mate SP5? These are the two links that I followed to the "T" and everything worked perfectly.

    http://cert.startcom.org/?app=127

    http://www.eksternkompetanse.no/blog/PermaLink,guid,a87f5aa1-a61c-433a-b8e3-121bd867dbb3.aspx

  68. chernicr says:

    Posts on this thread helped me insert my PKCS#12 certificate and the corresponding CA root certificate on an i-mate jasjar, but still no joy (Opera throws up a doalog saying the root certificate is not registered; IE just goes straight to the 403 returned by the server).

    How do I edit a registry entry under Windows Modile 5.0?  Is ther a native utliity, a 3rd party hack, or do I need the developers’ toolkit?

    Ron

  69. chernicr says:

    Panic over.  I found a regedit tool for WM5, flipped the bit that and earlier poster provided, and that fixed the root certificate problem with IE, but not Opera (I suspect this is a bug in the Opera beta).

    But the server I need to talk to via SSL uses Javascript for the menus, so now I have IE talking SSL, but no menus because it does not support Javascript, and Opera with great Javascript support, but no self-signed certs, so no SSL!!

    Grrr…

    Ron

  70. Mike B. says:

    Have cingular 8125 with Exhange 2003 SP2 and an Equifax $300 certificate. Doesn’t work with this handset. Able to export cert from desktop, click on it and the cert installs then everything works. Almost… Where is my direct push option that MS keeps telling everyone about. I even got this crappy phone because this is the only one that is supposed to be able to do it. NOT… I can’t believe I am going to have to touch every single mobile device prior to it working… I hate MSFT.

  71. Loren says:

    MS has done a poor job of communicating that the push functionality comes with a "Feature Pack" that will only be available from phone vendors. They could easily have made that obvious amidst all the trumpeting about push technology in WM5.

    Contact you phone service provider, but I’m not aware of any offering it yet: It’s vaporware.

  72. scyost says:

    I believe iMate is already shipping the MSFP upgrade.

  73. dankusel says:

    Hello – I am a first time poster begging for assistance.

    I have a Cingular 8125 running WM5.0.  I am using Activesync 4.1 (which came with the phone).

    My business uses Exchange – from which I can access via the web using OWA.

    My Activesync on my 8125 was working on and off about 4 days ago – and now does not work at all in synching with my server.  

    Everytime my mail on my 8125 tries to synch with my server, I receive an error on Activesync that says, "Your account in Microsoft Exchange Server does not have permission to synchronize with your current settings.  Contact your Exchange Server administrator.  Support code:0x85010001"

    I have called Cingular, Microsoft, and my company internal IT department.  Cingular and MS basically said, "not our problem".  My company exchange server IT group is looking at it – but nothing has changed in 5 days.

    It appears to me that my issue is related to the one on this board.

    I am asking that someone who has seen this issue and knows how to resolve it – please let me know.  I can email you – or even call you for assistance.  Like many of you on this board – the reason I bought this phone was for the email Activesync – which is not working at all!  PLEASE PLEASE HELP!

    Thanks,

    Dan

  74. scyost says:

    That’s actually not a root cert issue at all. Check the activesync and exchange mobility newsgroups: http://groups.google.com/groups?q=0x85010001 – there is a lot of traffic about that error.

  75. Advanced issues you might run into when trying to add your own SSL certificates to the device for browsing…

  76. abartlett says:

    I have just been through the same issues and apparently resolved it. My device is the new T-Mobile MDA (a.k.a. HTC WIZA200) sync’ing to a SBS2003 server running Exchange 2003 SP2.

    I resolved the ActiveSync SSL problem by purchasing a cheap GoDaddy medium-security cert ($17.99/yr).  The trick was to install the ROOT certificate of the CA (in this case valicert.com), not the server’s cert, onto the WM5 device.  ActiveSync-SSL is working like a champ now.

    YMMV… good luck to all!

  77. Steve MDA says:

    For all users trying to sync t-mobile new MDA WM5s: I just got someone from the PDA support group and they finally admitted that teh device is not working with Exchange 2003 SP2. Period. No more questions. Not that I did not try before to get any information from this department, but most fo the time they wouldn’t know what "exchange server" is. So advise I got was to wait until they release new software update for MDAs. Did anyone out there get any different info than this?

    Sad MDA user 🙁

  78. Sam says:

    For anyone digging with as much frustration as I had been looking for this solution, I can report the following:

    For one of my users with an O2 XDA Atom WM5 handheld, I was able to add a root CA certificate for my LAN’s MS Cert Server (as well as the certificate for my public Exchange 2003 Server) by:

    1. using Active Sync Explorer to copy the DER encoded certs to the device

    2. using Resco Explorer 2005’s registry editor to edit the specified keys (regeditstg did not appear to be trusted by the device)

    3. soft-booting the device and then clicking on the certificate files to install them

    4. restoring the registry values to their former values and soft-booting.

    I’m happy to say it’s working perfectly.

    I hope the marketeers at MS realise that by  denying users their right to decide whom to trust, they are behaving quite unethically. Perhaps if enough people remind them of this – and I include the MS developers who are seemingly at their mercy – they will concede a simple checkbox in any SSL-capable WM5 application to allow users to make this choice for themselves and avoid the anger and frustration that these tactics inspire.

  79. scyost says:

    You actually shouldn’t even need to reboot between those steps.

  80. huddie says:

    Can someone clarify this for me ?   Is it currently impossible to do Exchange ActiveSync on WM5 using a self-certification certificate ?  We have the same problem, i.e., our certificate works for OWA, but not for Exchange ActiveSync.

  81. Dave Jones says:

    OK read the blog to the end and like Huddie I have to ask has this been cleared up. The UK Phone vendors have just started releasing the updated ROM paks for the phones so expect a lot more questions.

    I have my own Self cert from my Exchange 2003 SP2 server and I have installed the certicate onto my Wiz200 device and it appears in the list. Should it now work? if not what else must I do? Do I really have to purchase a certificate?

  82. John says:

    Sam

    Is the only registry entry you edited this one:-

    "HKLMSecurityPoliciesPolicies0001017

    from 128 to 144"

    Also have an xda Atom and have installed self certified certificate, but cannot get it to work.  Also, I heard that the current ROM versions in the xda Atom’s don’t have the WM5 MSFP yet for "push" email.  Is this correct?

  83. Dave Jones says:

    OK I have now got hold of a 30 day SSL certificate from RapidSSL (the others just wanted to much information to get it quickly).

    SSL certificate installed and works well with the OMA and OWA no more prompts. I have copied the CER file to the Mobile which has installed successfully and now appears in the list of certs.

    Yet I still get the same error message 80072f0d "The Security certifcate on the server is invalid" I am really starting to get it in the neck now.

    I am running a Back and Front End server (not exactly sure how this effects things) and the phone is WM5 ROM 2.17 OS 5.1.195

  84. Be aware there is in fact a workaround to disable SSL certificate checking for Windows Mobile 5.0 devices. However, it requires a registry tweak, so you have to have management access to your device. Exchange MVP Ben Winzenz tells you how here: http://winzenz.blogspot.com/2006/03/hacking-your-windows-mobile-50.html

  85. Dave Jones says:

    Thanks Devin, I had already found this but for whatever reason was using 1 and not 0. I have now got past the certificate checking and am now stuck on a continous password prompt.

  86. Exchange mobility resources (Kudos to Eileen Brown)

    Here’s a comprehensive list of Exchange/Mobility…

  87. Allen Lui says:

    THANKS, LOREN!!  Your solution worked for my setup here.  Exch 2003 w/ sp2, Treo 700W, Equifax SSL.

  88. Matt M says:

    I have the same problem as Dave Jones: got past the certificate checking and am now stuck on a continous password prompt.

    Any ideas?

  89. Dave Jones says:

    Finally received my first bit of "Direct Push" email. If you had told me how much time and effort would be needed to get this working I would of given up a long time ago.

    I have done 2 things since my continous password problem although it was the later that corrected the problem.

    I installed another Virtual web for the Exchange folder to get over any issues with SSL. This did not seem to help but hell it was fun trying. What did help was getting another certificate this time from GoDaddy. I have just installed my GoDaddy Turbo SSL certificate and am now the own of a 2kb baby email delivered via GPRS.

  90. scyost says:

    Dave Jones: If you have installed your certificate and it shows up in the ROOT control panel, then you’ve passed every problem that this blog post covers. Try hitting your exchange server via the web browser on the device. If it can connect and doesn’t prompt that the SSL cert doesn’t match, there are no certificate problems.

  91. scyost says:

    Devin, Matt M, et. al:

    Let’s clarify. The reg key that Ben Winzenz describes does not require manager level access. If you have management access to the phone you can change any reg key or security policy and there is nothing stopping you from adding certificates or doing anything else you want.

    As for the repeating password thing – when I say that "certchk doesn’t work", this is what I mean. If it were as simple as changing that reg key, that would be in bold print at the top of this page and we wouldn’t have 90 comments. You’re welcome to play with that key and if you have a reproducible way to make it work please post it, but that’s not a solution that is expected to work on these devices.

  92. Ross says:

    After major cert issues we are trashing all Windows mobile devices & going Blackberry. Good work Microsoft.

  93. Dave Jones says:

    Scyost wrote "As for the repeating password thing – when I say that "certchk doesn’t work", this is what I mean."

    Thanks I had not made the connection between the Secure 0 setting and the next error in the food chain.

    <3 self certs and 2 root certs later>

    I guess after all said and done the problem comes down to a recognised certificate it just took a long time to realise this. It would appear that their is money in old rope or in this case SSL certification after all.

  94. huddie says:

    Kinda corresponds to Loren’s posts, this, but I got it sorted for ourselves and thought I should post anyway.  As mentioned, ActiveSync was telling me the Exchange server was not trusted, even though I’d installed the certificate.  

    So here’s what I did.  On my desktop PC (from which I can access OWA), I removed all the certificates issued by our organisation using the Certificates console snap-in.  I then went onto http://<server path/certsrv> and downloaded and installed the CA certificate chain.  This worked, giving me access to OWA from my desktop without warning.  I then went back into the Certificates snap-in and located the two certificates which formed the chain.  I extracted both the certificate from the Trusted Root CAs store and the certificate from the Intermediate CAs store and transferred them to my device.  I then installed them on the device in the same order by double-clicking them in Explorer (i.e. using certinst.exe)  This created the requisite certificate chain on the device and I was able to enable SSL for Exchange ActiveSync and it worked.

  95. hegenderfer says:

    Ross, I’d like to learn more about this issue with certs.  Would you mind sharing with me offline?

  96. scyost says:

    Hi Huddie,

    I added a forward link to a page where I discuss the intermediate certs. If that’s not clear enough, please let me know how what information would have been more useful and I can try to add it.

  97. Nick Gatt says:

    Until Microsoft remove the "feature" that lets operators lock the certificates like this I suggest people use the RoadSync software on a compatible Palm, Nokia, Sony Ericsson or Samsung device.

    These are much cheaper than a WM5 device and even with the cost of RoadSync added it is less!  Maybe if MS sell less WM5 devices they will act.

  98. John Susko says:

    Huddie,

    Can you explain how you accomplished Adding Root Certificates for Exchange Activesync in terms I can relay to my IT staff back at corporate.  I must get ActivedSync enabled and I do not understand your post.

    Thanks…

    – jms

  99. scyost says:

    jms:

    There’s an appendix in the new MSFP deployment guide that describes this process. Check out the link I added in the main post today and see if it meets your needs.

  100. Chris Lawson says:

    Ok, so here’s my strange story. We have a Tmobile MDA with WM5 and E2k3 SP2 server.

    We replaced our first phone (suggestion: try that, it helped!). We replaced our self-signed cert with a $17 SSL cert from our registrar (Equifax Secure Global eBusiness CA-1)

    ActiveSync AND Push are both working with the "connect using SSL" option turned off in ActiveSync. But it only works intermittently and I’m about to be told to get rid of the MDA and get a Blackberry.

    Opening the OMA webmail site in PocketIE does not work and never has. I get the message about the cert not being trusted – and thanks to the posts here I believe I just need to install the CORRECT Equifax root cert to fix that.

    The strange part? Everything – and I mean everything from Push to ActiveSync to the OMA site – works perfectly 24/7/365 IF the phone is connected to the computer and a wired Internet site.

    It is ONLY when the MDA is wireless that ActiveSync fails with error code 0x80072eff. Once that happens it will never ever sync again until the phone is plugged back in and sync’d using the wires. It then works again for another totally random amount of time. For a busy travelling executive this is not an option.

    I can’t tell if this is a cert issue, a Tmobile connectivity issue, or a failure in ActiveSync to deal with connectivity issues. I seem to be so close!

    Any thoughts?

  101. Kotee says:

    Chris

    The same thing happens to me , I am using a O2 Atom and am frustrated because it is very strange when you can sync for a coupel fo days and then suddenly U get the certificate invalid error

    I am now trying various option slisted in this post above , let me see if I have any luck

  102. Windows Mobile 5.0 Security Model FAQ

  103. Jens J. says:

    Another user here who is _stuck_ because WM5 does not seem to support wildcard certs, although IE6 and Windows XP seem to have no problems with it?

    Why the disparity between the two?

    Another LOUD vote for wildcard cert support.

  104. scyost says:

    IE6 has it because Windows has it. We don’t have it because we’re not Windows and we don’t have a direct port of all their code and functionality. (we couldn’t and still fit in a 64 MB ROM)

    That said – I have been personally helping to fight for wildcart cert support, so the issue is definitely known. It just has to get weighed against all the other features that we want. Whenever it gets slated for a release that’s publically announced, I promise you’ll hear about it here.

  105. tim says:

    Saying you "Feel our pain" is not the same (by a longshot) as solving it.  All the solutions presented so far are difficult, only work on some  versions of WM, or require ‘help’ from the phone operator.

    What a disaster.

  106. Dave Caddick says:

    I have just been reviewing this on behalf of a mate at work who is trying to get his Xda Mini up and running with a cert. I notice Chris and Kotee above are getting issues similar to a timeout issue AFTER getting the Cert to work?

    Please check my link above for reference as to how to sort this with the Firewall – the EAS (ExchangeActiveSync) will try and use a slidding window technique to push the heartbeat out to as much as 30 minutes if it can. If your SSL/HTTPS timeout value is under 30 mins you will be timed out before the next Heartbeat and it will fail – does this make sense? more at http://geekswithblogs.net/wallabyfan/archive/2006/04/06/74522.aspx

    Hope this helps?

  107. Cedric says:

    Hi,

    On Qtek 9100 WM5 + MFSP we success installing our self-signed certificate. (E2K3+SP2)

    But we now have the following error code : 0x80072F17 (ERROR_INTERNET_SEC_CERT_ERRORS) Unable to end synchronisation. Try again later.

    On the same configuration with the same cert, WM2003 device synchronisation are successfull.

    Did you ever meet this problem ?

  108. Andy Picton says:

    Here was my situation –

    OMA on Exchange 2003 was working perfectly without SSL. At the request of management, I had to add "RCP over HTTP" funtionality for connecting Outlook to Exchange over http, and that requires you to use SSL.

    I tried using the MS CA tool to make my own cert, but RPC didn’t work, and it caused the OMA to stop working. I tried removong the cert and CA tool, but the damage was done…After 2 days of searching for answers, I noticed that several articles indicated that a 3rd party CA might work better than Microsoft. I signed up for a godaddy turbo SSL cert and installed that on my server and the OMA device.

    Now I was getting a "server could not be reached" error…(at least that was a new one!)

    I realized that my watchguard firewall was using NAT to translate http requests from an external IP to an internal IP, so I set up a NAT forwarding rule the same way for https.

    I tried it again, and then it reached the server.

    Sadly, it now said that the cert on the server had a problem and to contact my administrator.

    Since that’s me, I read the godaddy cert installation directions (for the first time) and realized that I had failed to install the intermediate cert. So I removed the cert from the server and followed the directions this time.

    Now the OMA device is synching up fine, though I still have to work on the RPC over HTTP thing. At least I got past the OMA issue and there is something to be said for following directions.

  109. p25o1 says:

    "On Qtek 9100 WM5 + MFSP we success installing our self-signed certificate. (E2K3+SP2)

    But we now have the following error code : 0x80072F17 (ERROR_INTERNET_SEC_CERT_ERRORS) Unable to end synchronisation. Try again later.

    On the same configuration with the same cert, WM2003 device synchronisation are successfull.

    Did you ever meet this problem ?"

    same issue, and man did i try every thing on this page,,, no luck ,,, it would be nice to demo it to my managment before getting a $$ cert

  110. Nick Ferrar says:

    This is just crazy 🙁

    I have a QTek 9100 on trial from Vodafone UK but just can’t get EAS to work due to the certificate error.

    The certificate I’m using on the Exchange (well ISA2004) box is from VeriSign and I’ve even copies all the other available root CAs VeriSign have for download to the Qtek and it still fails.

    If I browse to https://<mobile url>/oma I get a prompt warning me the certifcate is not from a trusted source but of course you only have yes or no and not install options.

    I feel sorry for the other people here having issues with self-signed and wildcard certs but I’d have hoped a VeriSign one would have worked! (it works fine through a normal Windows PC).

    I’m looking into Windows mobile phones with EAS as an alternative for our Blackberry devices but how the heck can it compete in it’s current state?

  111. Nick Ferrar says:

    I stand corrected! I just imported a few intermediate VeriSign CAs (into the root store on the device) and now it all works fine.

    There really does need to be a way of managing this centrally or something though if it’s ever going to replace Blackberry with corporates.

  112. Vance Shearer says:

    The certificate providers are using the mobile demand to screw us for $600 to $1000 for an out of the box cert. I am going through all the issues mentioned here as well as the issue of OMA being available for WAP browsers such as OpenWave.

    Blackberry–It just works..

  113. Peter says:

    Thank you all for usefull info in thís thread!!

    I am now up syncronising my Qtek 8310 over internet to SBS2003/Exchange. WORKING AS A SWISS CLOCKWORK!

    The things I had to do was changing in registry policy 00001017 as described above (Required registry editor).

    + Changing security settings in IIS:

    Find "Microsoft-Server-ActiveSync" in IIS.

    Right click on settings. Go to the tab Security and click on edit "IP Adress and domain name restrictions". There you can configure whom shall be able so sync from outside.

    I am so happy!

  114. k54me87 says:

    After attempting to get a few 700w’s to work with our Exchange 2003 SP2 server, I was in the same boat as a lot of people here. I kept getting the "unknown publisher…blah..blah" message even after I attempted to install our companies root CA on the device (we issue our own certs). About 2 weeks ago I installed the MSFP for the treo’s, then re-installed our company root CA cert and viola….Exchange push began working. It’s been about 2 weeks since I installed the MSFP and there have been now issues from these devices at all. I sure wish Verizon would have shipped this with the phone or at least mentioned that the "push" ascpect would not work without it.

    For those of you with 700w’s crashing…sounds like you’ve either done something to your phone or simply got a lemon as we have a number of them and do not have that issue.

  115. dean says:

    Can anyone please help me….I have been getting the error code 80072F17 when attempting to activesync via SSL and digital certificate. I have an Imate SP5(WM 5.0) trying to activesync via Bigpond GPRS using a self signed certificate.

    The Server it is connecting to is Windows SBS 2003+SP1 with Exchange+SP2. for example – The public name is mail.domain.com.au. The Sites common name that has been created on the certificate is mail.domain.com.au. My local server name is actually server.domain.local This certificate has been installed locally on the phone and I can see it listed on the phone, in Trusted Root certificate store. The certificate is also installed under the Intermediate Certification Authority, Trusted root Certification Authority, and personal certificate store on the SBS server. I have added the certificate by internet explorer and mmccertificateslocal computer. OMA works ok on the phone via internet explorer without getting prompted to install a certificate, I only get prompted for a username and password. I don’t understand why I am still getting the error "unsupported digital certificate is installed" How do I create a Self signed certificate that is not a wildcard certificate?

  116. Denty says:

    This whole issue is completely ridiculous. I had spent most of 2005 trying to convince my collegues and more importantly my bosses that we should adopt the Microsoft offering and move away from Blackberry, the way it is going I am picturing me eating a gigantic slice of humble pie!!

    I have a smartphone (v1240) on trial from Vodafone at the moment and I have managed to install our company root certificate on there with no problems. However I am getting problems syncing over-the-air like most people. I am waiting for a Vodafone QTEK9100 to arrive soon which has WM5.0 for Pocket PC installed am I right in thinking that I should be able to get that working as it isn’t bound by the security features open to mobile operators that the smartphone version of WM5.0 is???

  117. Mike says:

    I have the same issue. wildcard cert: server name is webmail01.domain.com cert is *.domain.com. No go. i don’t mind buying a specific server named cert, but i don’t think this will work either as we are using network load balancing so the names are all screwed up.

                           _____  

                          |     mail01.doamin.com

    mail.domain.com –> NLB

                          |_____mail02.domain.com

    If i get a cert that says mail.domain.com – the server name is different. if i get a cert that says mail01.domain.com, the DNS name is incorrect. ARGH!

                           

  118. Kabir says:

    Hi Everyone –

    I’m seeing issues on here dating back to quite a while ago, so I wanted to put up a fresh post and see is any reccomended solution to this issue for WM 5.0 (it’s clear there is one for previous versions).

    I just bought a T-Mobile SDA and am trying to get it to sync with my company’s exchange server.  The challenge is that our certificate is not from a trusted source.

    Q: Has anyone found a good way to turn off the check for WM 5.0?  I realize the crtcheck tool will no longer work – will the registry change do the trick?

    Thanks!

  119. DavidL says:

    I purchased my Palm 700w in Feb and have had no problems until I did the upgrade and my company changed their certificate on the exchange server.  Now I get The Security certificate on the server is Invalid, support code 0x80072F0D.   It appears that MS wants me to convince my company to buy a certificate from one of their approved vendors.  Palm and Verizon Wireless don’t seem to know how to resolve this issue.  Does anyone know what I can do.

  120. Loren says:

    Here we go again with the Motorola Q: EnableRAPI won’t run, the registry is locked down, it won’t install root certs, the SpAddCert util doesn’t work. I’m bashing my way through trying to create a cpf with an embedded XML doc now, but come on MS and Verizon, there is simply NO REASON this has to be this effing difficult. What should take 30 seconds I’ve now spent hours on.

  121. Toby says:

    Hi all,

    Only just bumping my head against this EX2003/WM5 certificate problem – seems you lot have a bit of a head start on me.

    From what I can gather I have to purchase a certificate from an external source and there’s no way to use my own.  I’ve tried this and I just keep getting errors saying the cert is invalid.

    Do the cheap $18 certs from GoDaddy definitely work then?  What procedure do I have to follow to get this going?  Do I have to manually place the cert on the device myself?  One post said that it was a case of putting the ROOT cert on the device rather than the server cert, but I get a bit lost at this point.

    If you lot can assure me that a GoDaddy cert will work then I’ll go for it but I don’t want to waste $18 only to find it still won’t work.

    TIA

  122. scyost says:

    Hi Toby,

    The answer is really "It depends on the device."

    Have you tried the cab file method linked above? It works for all Pocket PC devices and some smartphones. We put the GoDaddy cert in rom for AKU2, so you may or may not have that one. You can check the ROOT store in the control panel on the device to be sure.

    Scott

  123. Sameer Bhaloo says:

    I am havine a problem with my canada telus phone. my provider is telus. i have a moto q and i am trying to install a cert for exchange.

    i have tryed the tools for verison,sprint and i get a lock message. "phone is locked"

    i do not have write prmisssion to the reg i can view. i cannot rename system files delect system files.

    the service provide is not aware of this problem or lieing.

    is there a way to break down secutity on windows mobile 5

    please respond.

  124. Chrischmi says:

    Some people said, that client certificates do not work with EAS on WM 2003. Here is the answer:

    http://support.microsoft.com/kb/893707/en-us

    I confirmed this today by Microsoft Support. You have to use a WM5 device AND to install the feature pack! Then it works…

  125. scyost says:

    Right. Client auth isn’t implemented for sync until MSFP.

  126. Karl says:

    Has anyone found a definitive resolution for the root cert issues yet, I have root cert on device and am stool unable to connect. How can I suggest WM5 as an alternative to blackberries if they are unable to sync to exchange over SSL?

  127. mickregan says:

    this is driving me bonkers!!!

    Processes of Eliminationses:

    · Pre Security Sync =

    o Fine

    · Post Security Sync =

    o Fine

    · Power Cycle 1 =

    o Please correct your Exchange Server Password. Synced Fine.

    · Power Cycle 2 =

    o Attention Required. Result: The Exchange Server requires certificates to log on. Connect your device to your PC on the cororate network to obtain a certificate. Support code: 0x85030027. Personal Cert is Gooooone.

    · Deleted Relationships, Re-applied Personal Certificate.

    o Please correct your Exchange Server Password. Synced Fine.

    · Power Cycle 3 =

    o Attention Required. Result: The Exchange Server requires certificates to log on. Connect your device to your PC on the cororate network to obtain a certificate. Support code: 0x85030027. Personal Cert is Gooooone.

    · Deleted Relationships, Applied Separated Personal Certificate in Root format without actual Personal Cert.

    o Attention Required. Result: The Exchange Server requires certificates to log on. Connect your device to your PC on the cororate network to obtain a certificate. Support code: 0x85030027.

    · Deleted Relationships, Applied Separated Personal Certificate in Root format as well as Personal Cert.

    o Please correct your Exchange Server Password. Synced Fine.

    · Power Cycle 4 =

    o Attention Required. Result: The Exchange Server requires certificates to log on. Connect your device to your PC on the cororate network to obtain a certificate. Support code: 0x85030027. Personal Cert is Gooooone.

    Okay so the Personal Cert is getting fragged.

    Why? I’ve een tearing my hair out…

  128. Keith Russo says:

    I hopes this helps others. I have sbs 2003 sp1 with exchange sp2 and tmobile SDA phone (build 14406.1.1.1).

    Following the CAB method at the top, I was able to get it to work.

  129. DChen says:

    I added the self-signed certificate to Motorola Q with pfximport tool. Now I receive "ActiveSync encountered a problem on the server" Support Code: 85010014". I think I am going to try importing via the CAB way. Hopefully that will work.

  130. Edwardo says:

    Did I miss something?  Has anyone figured out how to fix the continuous password prompt issue?  Setup is Verizon / Motorola Q…

  131. BAustin says:

    This is getting pretty old.  I’ve tried every possible solution I can find on the ‘net for SSL certs.  I purchased a cert from Thawte.  No issues with OWA.  On the PPC, however, it’s always any number of errors, most of which have been identified above.  Turning OFF security works fine but I hardly want to leave THAT running.

    Are we ever going to see a definitive answer/fix for this?  If it doesn’t work, SAY SO.  It is causing great numbers of us to seriously look at tossing these things and moving to Blackberries.  At least they WORK.

  132. scyost says:

    If you’re on a Pocket PC and the cert is not a wildcard cert, then you can definitely add the certificate using the CAB method linked, and that is the end of the troubles for this particular problem.

    As for "ever", I can’t comment on things in future releases until the release is announced. As soon as that’s possible I’ll be on here with the news.

  133. digi says:

    I have a motorola Q and have installed the cert on both the server and the Q. I get support code 0x80072F0D. OMA and /exhange work perfect but activesync gives me this error no matter what. Any thoughts?

  134. scyost says:

    Try installing the certs with this tool: http://blogs.msdn.com/windowsmobile/archive/2006/08/11/sslchainsaver.aspx

    That should eliminate any possible problems with installing the cert correctly.

  135. Ian says:

    I heard from some colleauges that set this up succcessfully (after much hardship) that they used a verisign cert and my prob was a unsigned cert.  I have previously installed wk2k3 server certs on the device by simply copying them across to the device and then clicking on them in file explorer and it automatically installs the cert.  Now that I’ve finally for the ssl cert from verisign it works fine when connecting to owa but when I try to install it on the device it says "Error – Cannot access certificate"   Aarrgggghhhh!!!!1

  136. Lee says:

    I have been working on our WM5 and SSL for a number of weeks on and off, reading many comments from users with the same issues. I have now resolved the issue and it is working.

    For those with the same problem I am posting this information that it may save you some time and stress.

    We are using internal CA on W2K3 server and have O2 XDA Exec and mini WM5 devices. I confirmed that the devices are not locked by the supplier and I can install a root Cert without any supplier software.

    This was my procedure:

    Get a copy of p12imprt free on www. Install it on the WM5

    Get a copy of the cert from the exchange.

    In IIS, go to the default web site

    Click on “Directory Security” TAB

    In the Secure Communication section click “View Certificate”

    Click the Details TAB

    Click Copy to File. Next

    Select “Yes, export the private key”. Next

    Check “Include all certificates in the certification path if possible”. Next

    Enter the password (You will need this password to install the certificate). Next

    Choose where to store the cert and name. Next

    Finish

    Click “Copy to File” again

    Next

    This time select “No, do not export the private key”. Next

    Check “DER encoded binary X.509 (.CER)”. Next

    Choose filename and location (call it a different name than the previous process so that it is easier to identify. Next

    Finish

    Copy the certificates to a machine that will sync with the WM5 device.

    Use the ActiveSync “Explorer” to move the certificates to the device.

    On the device, browse to the DER format file first and click it, this will prompt to confirm you want to install the certificate. Click Yes.

    Run the p12imprt utility on the device,

    Browse to the location of the PFX Certificate and select it.

    Enter the Password and click "import certificate".

    With the WM5 device connected to the machine with a sync cable. Synchronise the device. It should look for changes and update the device.

    Now disconnect the WM5 device and it should be ok.

    Issues to what out for.

    The certificate needs to be trusted. Just because it is in the trusted root on the WM5 it does not mean that it is working. If there is a problem with the certificate it will not sync and if you will get an error code like 80072F17 in this case it points to a problem with the certificate but does not tell you what the problem is exactly. If you connect it to the machine with the Sync Cable the error messages are a little clearer.

  137. Chris says:

    VZW_SpAddCert.exe is what solves the problem for all VZW phones, including the Q, get it here: http://www.microsoft.com/downloads/details.aspx?FamilyID=5D7E27EE-4654-480C-876D-442AED8F47AE&displaylang=en

  138. Chris says:

    oops, forgot instructions!

    put the VZW_SpAddCert.exe file in the root of the device’s file system.  then create a directory called "storage" and put your .cer file in there.  However, make sure that the .cer is a root authority certificate and that it is in the DER encoded binary format.  have fun!

  139. J says:

    Even after successfully installing an SSL certificate, I continued to get the username/password prompt when syncing my T-Mobile MDA. What finally fixed the issue was adding basic authentication to the /microsoft-server-activesync/ directory on the Exchange server.

  140. Suneet says:

    I have been having this issue with the T-Mobile SDA as well and do not want to give in. Could the person in the previous post, provide all the details. Thanks

  141. Gabriel says:

    I have a 2125… finally got the certificates installed, but still getting invalid certificate error.  Any help?  root and personal certificates are installed (equifax).

  142. Ryan says:

    I have a Sprint 6700 Running WM 5.0.  Exchange is at SP2.  I used the pfximort tool, copied my root certificate from my CA and have everything working fine.  I’m able to both send and read encrypted email.  The problem I seem to be having is that if I lose sync.  Power device off or break the connection in someother way my personal certificate gets removed from the certificate store.  Any Ideas?

  143. George says:

    Having major issues getting my WM5 iPAQ rw6828 to do an over the air ActiveSync with my Exchange Server 2003 SP2. I have a Godaddy cert specifically for the front-end exchange http://www.domainname.com. The iPAQ can connect to the https://www.domainname.com/exchange without any worries using IE, but I still get the 0x85010014 error support code when I try to do an activesync. This error code is extemely non-specific!!! Can someone lead me in the right direction? – Please!

  144. Hugh says:

    George, I’m having the same problem on an iPAQ 6945.  Were you able to fix your problem?

  145. Ric says:

    all the instructions I’ve seen about installing a root cert on the Q deal with .cer files…but exchange only gives the option to export to .pfx format.  ARRGH!!!  How the heck do you convert the cert into the .cer format???

  146. jimf says:

    Hello,

    I’ve tried many things but i still get the "please correct your exchange server password" prompt.

    i’ve reset my pass.  got a legit SSL from verisign, removed compression or something – not really sure.

    any other suggestions.  i’m 99

  147. scyost says:

    It’s common to get that prompt if you’ve used the certchk tool or a registry editor to set the old "DisableCertChk" key. That key won’t work on a WM5 device and it’s likely you’ll get the neverending password prompt if you to set it. Does that match your case?

  148. mike says:

    Well there is a ton of info on this site about the problem im having but no clean answer. sbs 2003 latest sp, exchange server with laters service pack. cingular 8125.  Personal signed root cert. not purchased.  Cert is on the 8125 in the root certs. Can access oma, and even exchange remote and do not get any cert errors.

    when i try to sync all i get is a reenter password prompt.  Is this a problem with a personal signed cert?  im lost.  I do not want to disable ssl though disabling it allows syncing.

  149. Al says:

    I am getting the same thing 0x0072F06 code incorrect SSL.  tried adding cert (self made) from our IT and this is the result W/O the cert I get the 0x80072F17 error (attributed to not having a cert).  If I uncheck SSL on the device (and reenter password then I get a long long wait for error 0x85010001.

    tried to export cert as binary as some sites suggest and as such it is invalid on my WM5 8125 PDA/Phone.

    No wonder there  are not a lot of these out there THEY DONT WORK

  150. revpig says:

    OK. I’ve had it. MS are playing God here. We use wildcard ssl and I heartily resent MS essentially dictating to me how I configure my security. We’ve invested thousands on WM5 devices that are just not fit for purpose.

    Like an earlier poster, we are now going to Blacberry. Absolutely pathetic.

  151. RMW says:

    We only use self signed certificates and do not have any issues at all with installing them on our HP hw6965 phones so I can not see how it is MS issue, I would be talking to your phone manufacturer.

  152. Mike says:

    Ok – I’ve got a cingular 8125.  I’ve done the regedit and changed 1001 & 1005 to the proper values.  I copy my cert over – when I attempt to install it I still get ‘Cannot access certificate’.  I thought my device was unlocked and I could now install.  What’s gone wrong.  Any pointers for the 8125 would be appreciated.

  153. Weston says:

    If you are getting the "cannot access certificate" error, then the .cer file is either in the wrong format or has been corrupted. Make sure your certificate is is "DER" format or else you’ll get this error.

    Hope this helps!

    -Weston

  154. Terry says:

    I have the Cingular 8525 phone.  I tried using the SslChainSaver to create two new certificates, the root.cer and the leaf.cer which I then copied to the Windows Mobile 5.   Now when I run the Exchange Active Sync, I no longer get the certificate error.  However, the login to the Exchanger Server 2003 SP 2 never gets past the password prompt.  To the best of my knowledge I have entered correctly the password correctly.  

    Does anyone have any suggestions at this point?  

    Thanks.

  155. kevin says:

    I have an HP hx2495b PDA, and we have a self-signed cert on our ISA server.  

    Ok – so how do I get OMA to work?  I understand I have to have a trusted cert, but after reading these messages, from whom do I purchase one?  It seems that even a trusted cert may not necessarily allow this work correctly.

    Please help!

  156. Damo says:

    Thanks Lee for your instructions below, they stopped me from really loosing it!

    I have been working on our WM5 and SSL for a number of weeks on and off, reading many comments from users with the same issues. I have now resolved the issue and it is working.

    For those with the same problem I am posting this information that it may save you some time and stress.

    We are using internal CA on W2K3 server and have O2 XDA Exec and mini WM5 devices. I confirmed that the devices are not locked by the supplier and I can install a root Cert without any supplier software.

    This was my procedure:

    Get a copy of p12imprt free on www. Install it on the WM5

    Get a copy of the cert from the exchange.

    In IIS, go to the default web site

    Click on “Directory Security” TAB

    In the Secure Communication section click “View Certificate”

    Click the Details TAB

    Click Copy to File. Next

    Select “Yes, export the private key”. Next

    Check “Include all certificates in the certification path if possible”. Next

    Enter the password (You will need this password to install the certificate). Next

    Choose where to store the cert and name. Next

    Finish

    Click “Copy to File” again

    Next

    This time select “No, do not export the private key”. Next

    Check “DER encoded binary X.509 (.CER)”. Next

    Choose filename and location (call it a different name than the previous process so that it is easier to identify. Next

    Finish

    Copy the certificates to a machine that will sync with the WM5 device.

    Use the ActiveSync “Explorer” to move the certificates to the device.

    On the device, browse to the DER format file first and click it, this will prompt to confirm you want to install the certificate. Click Yes.

    Run the p12imprt utility on the device,

    Browse to the location of the PFX Certificate and select it.

    Enter the Password and click "import certificate".

    With the WM5 device connected to the machine with a sync cable. Synchronise the device. It should look for changes and update the device.

    Now disconnect the WM5 device and it should be ok.

    Issues to what out for.

    The certificate needs to be trusted. Just because it is in the trusted root on the WM5 it does not mean that it is working. If there is a problem with the certificate it will not sync and if you will get an error code like 80072F17 in this case it points to a problem with the certificate but does not tell you what the problem is exactly. If you connect it to the machine with the Sync Cable the error messages are a little clearer.

  157. Oleg says:

    did someone fix the problem with disappearing personal certificate?

    my cycle- creating connection through AS to Exchange. getting the message on PDA – install certificate – press ok – working fine until i reboot the PDA. in Certification, there is nothing on Personal tab …

    any ideas?

  158. Drew Heath says:

    On the Treo700w, all I needed was the certificate file.  I was required to export the certificate file from the mail server to get a compatible format, .cer.  Once the file was transfered to the phone, I opened with with the file explorer.  The new certificate was imported, and mail flow resumed.  I hope this helps, the one piece that I was missing was how to get the .cer file as my provider, Network Solutions, did not provide that format.

  159. Matthew Frahm says:

    Damo, thank you!!

    I was just about ready to pull the rest of my hair out on a new Verizon Treo 700W here.  

    Anyone have ideas on why Verizon’s utility doesn’t seem to actually add the certificates in a working manner?

  160. Damo,

    I followed the proecedure to the letter, got the certificates instaled to the Personal Store on my WM5, but when I try to send email I get msg cannot encrypt

  161. gbackley says:

    I’ve got all of you beat. I purchased a cert from Network Solutions. Installed the certs on our exchange server 2003 sp2. Exported it into the .cer format. Installed it on a Moto Q and a XV6700 from Verizon. Works seamlessly, no bugs, no flaws. Onto the next poor soul (same exchange server). Comes to me with a Verizon Treo 700W, install the cert and get the invalid server certificate error meesage. Spend 4 hours on the phone with Verizon levels one, two and three. Until I finally get a tech who knows what he is doing and he sends me a web link that shows exactly what certs will work with the Treoo 700. To bad I lost that link. Must find it again and forward it on. Onto the next victim (again the same server), who is with T-Mobile. Their retail cluck (I mean clerk) tells him the Dash will have no problems. Again same error ‘invalid server certificate". Go round and round, hour after hour. Finally end up with the Dash manufacturers help desk in South Africa. At which point they finally tell me it will not work with Exchange. So he returns the phone and another T-Mobile cluck tells him the MDA will work, guaranteed. Hours and hours, tech after tech. Still no Exchange push. T-Mobiles third level sends me Microsoft web links which lead to nowhere. Blaming it all on Microsoft. The XV6700 (made by HTC) is the same phone as the MDA. At this point, the problem has to point to the software installed by the manufacturers for the carriers. Although the carriers would never admit to this. I am resloved to get all the agents in my office to have Exchange sync push out their emails, come hell or high water.

  162. Matt Stanzel says:

    Ladies and Gentlemen, Microsoft may have actually helped everyone who has been dealing with this problem:

    Microsoft Exchange Server ActiveSync Certificate-Based Authentication Tool

    http://www.microsoft.com/downloads/details.aspx?familyid=82510e18-7965-4883-a8c3-f73f1f4733ac&mg_id=10095&displaylang=en

    Overview

    The Microsoft Exchange Server ActiveSync Certificate-Based authentication tool provides several utilities to assist an Exchange administrator in configuring and validating client certificate authentication for Exchange Server ActiveSync. These utilities include:

    · A tool to assist the administrator in configuring certificate enrollment for mobile devices connecting to Exchange Server 2003 Service Pack 2. Specifically, the tool will help the administrator populate the Active Directory with the following information to be used by the mobile device when enrolling for a certificate:

    o Certification authority (CA) server name

    o Certificate template that will be used

    o Other settings, such as custom Web enrollment URLs

    Because the tool writes information to the Active Directory, it must be run by someone with domain administrator privileges.

    · Additional tools to validate that a mobile device can successfully retrieve the above configuration information from the Active Directory.

    · Documentation outlining the server configuration steps necessary to enable & require certificate-based authentication for Exchange Server ActiveSync.

  163. Brian C says:

    For those who are having a problem installing an SSL certificate on a T-Mobile Dash with WM5, make sure you export the certificate as a DER format file with a .cer extension as explained above, then copy to your phone and "run" it from "File Explorer".  You don’t need to create a .CAB file as explained on some other WM5 postings.  This worked great with the new GoDaddy root certificate that they started using in early 2007 or late 2006 instead of the Valicert root they used to use.

  164. Eric A. says:

    I’m working on a Dash now and am getting the "security certificate on the server is invalid" support code: 0x80072F0d after importing the DER .cer from my Exchange box using the posting above.  The .cer in this case is a private cert from my internal MS cert server.  I also used the p12imprt program even though the author says it’s not needed for a root certificate (for just SSL access) for the heck of it.  

    Will purchasing a public/"trusted" cert from Thawte solve this error for the Dash?  

  165. Eric says:

    I purchased a GoDaddy Turbo SSL Cert as recommended by Brian C. and it works!  No need to install .cer into my T-Mobile Dash, just installed server cert and intermediary cert on Exchange front end server and voila.  Thanks to this blog for the help!  

  166. Steve Levin says:

    I have an interesting problem.

    I have a server that has a GoDaddy cert on it…everything is fine.  I installed a new cert from GoDaddy (old one was expiring) and now I get this error.  Flipping back to the older (not yet expired) cert and everything is fine…but the 10 year renewal cert tanks.

  167. Cor says:

    Managed to get the Microsoft Exchange server connection to work on a Verizon Motorola Q using the following steps

    1) Connect the motorola Q to your PC

    2) Download the VZW_SpAddCert.exe from the Microsoft site

    3) http://www.microsoft.com/downloads/details.aspx?FamilyId=5D7E27EE-4654-480C-876D 442AED8F47AE&displaylang=en

    4) Connect the Motorola Q to your PC

    5) Wait for the ActiveSync connection to be established

    6) Start explorer and select “Mobile Device”

    7) Copy VZW_SpAddCert.exe to the folder WindowsStart MenuAccessories

    8) Create Storage  folder on the Q

    9) Copy the *.CER file to the folder Storage

    10) Click on Start on the Q

    11) Scroll down to the bottom and click on accessories

    12) Click on the VZW_SpAssCert Icon

    13) The Certificate details should now be visible on  the screen

    14) Follow the instructions on the screen to confirm the installation

    15) Restart the Q

  168. Tim B. says:

    I was able to get the T-mobile MDA to connect sync to Exchange 2003 with a Network Solutions issued certificate resolving the same "security certificate on server is invalid" error.  I had to use MMC certificates snap in on the Exchange 2003 front end server.  I exported the Addtrust External CA Root, UTN-UserFirst-Hardware, and Network Solutions Certificate Authority certificates.  These were the certificates in the "Certification Path" on the internet connected Exchange Server.  All were exported as DER format .cer files, copied to the MDA and run under "File Explorer"  The certificates can be seen on the MDA in Settings-System Tab-Certificates-Root Tab.  I could not have done this without this blog. Thanks for the help.

  169. Steve Levin says:

    My problem, by the way, turned out to be a cert issue with the intermediate cert (which GoDaddy changed around Jan 2007).

    If you are in my situation (installing a renewal godaddy cert and everything stops), do the following:

    1) Follow GoDaddy’s complete instructions for installing the intermediate cert.  While browsers are okay with the old one, mobile devices aren’t.

    2) go into your trusted root authorities on your server and remove the "Godaddy" cert (not the valicert).

    The second step is effectively undocumented and I only learned it when I gave up and called their support.

    Steve

  170. Jim says:

    I’ve always wondered why most people end up implementing blackberries i think i now know why, as usual microsoft making a complete mess of implementing activesync!

  171. Ole says:

    I do not recommend my customers to by WM5 on SmartPhones and other devices that has certificate problems. It has become to expensive to install certificates. More people do the same. That will teach MS to listen over time.

  172. Steve Levin says:

    Actually, the WM5 devices broadly recognize the most certs, and most of the devices released in 2006 do have valicert support.  That’s much, much better than "hard" cell phones such as Nokia and Sony Ericsson, which typically recognize only a handful of root certs and have no way of adding more.  MS-based smartphones are by far the best in this area!

    For our commercial servers (we are a mobile services provider) we’ve been forced to go with Verisign as it is the only root cert recognized by everything.

  173. bozo says:

    Wild card certificates can be installed.  It’s a pain, but doable:

    1.  Find the Mobile Registry editor.  Google it, it comes up easily.

    2.  5. Navigate to this key:  Hkey_Current_UserSoftwareMicrosoftActiveSyncPartnersUID_Server_partnership where UID_Server_partnership is a long string easily identifiable by the domain of the server that you are trying to reach in the right hand pane.

    3.  Right click on the UID_Server Key and create a new DWORD key called secure, value 0

    This does the same thing as the utility crtcheck took in WM03

    You will also have to have imported your wildcard cert into your store, methods listed on this page worked for me on an 8525 HTC using a Network Solutions wildcard cert.  My HTC did not need a reboot, but other devices might.

    Good luck…

  174. Vesa says:

    We bought a VM5 for development use. We are rather big smart phone development, house, but so far we have only done Symbian development.

    But I can not event take the VM5 phone into use, since I can not install our root certificate to the device. I can not recommend Windows Mobile 5 phone to anyone. Windows mobile 5 is a disappointment.

  175. Jared P. says:

    Lack of support for wildcard SSL certificates (*.domain.com) on Windows Mobile is very disappointing.  Microsoft claims to have made security a top priority, but disabling certificate security enforcement with a registry change makes mobile computing less secure.  This change would allow an attacker to spoof the server’s identity.  This undermines the purpose of the certificate, which is to authenticate the identity of the server.  This is standard certificate functionality to most client software (browsers, OSes, etc.).  This shouldn’t need a feature request.  A patch should be issued.  

  176. Jared P. says:

    Microsoft put their name on the SPKI RFC at http://www.ietf.org/rfc/rfc2693.txt which allows for wild cards.  While this RFC is experimental in RFC terms, wild card support has been widely adopted by 3rd party CA’s, CA software (including Windows Certificate Services) and client software (including IE).  I don’t understand why this isn’t a standard supported feature for Windows Mobile.

  177. scyost says:

    We’ve already added wildcert cert support in WM6.

    The security risk of disabling the checks is one of the major reasons that the flag is no longer supported.

  178. neil says:

    Hi

    I am trying to setup push email on 1 of our clients exchange 2003/SBS 2003 servers but I keep getting the following error on the mobile device 0x80072F0D

    The exchange server has FBA enabled with a self created certificate with the FQDN of mailgate.company.co.uk using Selfssl and I can access OWA and OMA ok.

    I exported the certificate from IIS and manually installed it on the mobile device using p12import which I have used before with no problems

    I have reconfigured IIS with the steps in KB 817379 (http://support.microsoft.com/kb/817379) and I have input the servers ip of 192.168.1.200 as the router forwards ports 25, 80 and 443 to this local IP, I have also tried inputting the routers public IP as a trusted address

    I have setup a previous client with push email using windows server 2003 certificate services for creating the self certificate and it worked ok – could this be the problem or could it be the port forwarding

    Any help appreciated

  179. Matt J says:

    Scyost,

    Why dont you just do something productive and give us a way to disable cert checking.  Why is it any of your concern.  I don’t know anyone that uses certs with a radius server. It is not needed and a pain in everyones ass.  I wish I could have a few words with the guy responsible for not giving us a simple fix for this problem.

  180. ChadAmberg says:

    We’ve recently built an application that makes all this so much easier.

    It extracts and builds the _setup.xml correctly.

    Then it puts it in a cab file.

    Finally, a desktop deployment tool is built for the end users to run.

    http://www.digitallabs.net/mcb/default.htm

  181. Roger B says:

    I am not a hi tech sys op, just a business owner setting up my own system with push pull email with WM5 and a 2003SBS with MSExchange with SP2.   I have a fixed IP address that does not have a internet domain name, in the past we have entered our corp IIS via a number like 2XX.8X.2X.4X and it worked fine.  I understand that I have to get a SSL cert, which I have purchased via Godaddy, however, I have hit a road block as they ask for a Common Name for the cert. and as I do not have a domain name I am guessing a SSL will not work with a ip address number. Can any one advise?

  182. scyost says:

    I’m guessing GoDaddy won’t sell you a SSL cert for a IP address. You are probably going to have to get a domain name for that IP in order to purchase a cert for it from a major vendor. Alternately you could create your own self-signed cert for that IP using an internal CA and then deploy that cert to the devices. Getting a domain name is far easier though.

  183. Jason says:

    Anybody have any idea what 0x85010014 means? I’ve spent the past week trying to hook my TMobile Dash to Exchange 2003, but cannot get around this problem, driving me crazy. Lots of references to 0x85010014 on the Web, but no definitive answer as to what the problem could be.

    Thank you!

    Jason

  184. A... says:

    Lee, you rock.  Thank you.  Thank you kindly.

    Importing the "intermediate" certs works perfectly with that little program.

    Once ALL the certs were installed (root + intermediate) I was able to sync!

    Thank you.

    Why can’t MS make directions for this (and the freaking utility) that make sense instead of a bunch of convoluted, misleading, and confusing (dis?)information…

  185. Mark says:

    I just upgraded to WM6 and now I am unable to reestablish syncing with the Exchange server.  I have readded the cert provided by IT with no luck.

    The error I get is that the cert on the server is not valid.  Is there a new cert for WM6 that is required?

    Thanks!

  186. Mark says:

    Allow me to elaborate from my post of July 6.

    U am using a T-Mobiel Dash and I upgraded from WM5 to WM6.  Prior to the upgrade all of the functions sync functions were working normally with no problems or exeptions.

    After the upgrade the cert was readded to the phone and the email account was readded with the exact same settings and info as before.  Since then I get the old Support Code:80072f0d error.

    All other variables are equal.  Same phone, same provider, same cert, same settings.  The only difference is WM6 vs. WM5.

    Please help.

  187. Treve Ellis says:

    Good MOrning,

    I am having a problem connecting to an open Wifi connection, I have a SPV M700. I keep getting a message "Require a personal certificate to access". I can find no reference to this in any handbook.

    This smartphone worked last week but now I am unable to connect to this WiFi link.

    I have requested support from my supplier (Orange UK) but as yet have not received a responce. I am presently using this smartphone with Skype to stay in contact with home (presently on an oil rig in Angola)

    Any assistance will be greatly received.

    Thanking you in advance.

    Treve

  188. Brett says:

    I didn’t read this entire page so I don’t know if this has been answered or not, but… I have a Mogul with WM6, and I have been setting up ActiveSync to Exchange 2007. After futzing around with a few of the cert issues mentioned here, I (a) replaced the default cert in my IIS root for Exchange with one generated by my AD CA. Then, on my device, I browsed to the URL that is hosting the /CertSrv/ directory (use https, click past the warning that the cert isn’t trusted, you’ll only have to do this the first time), then click to install the root certificate. Evidently, by installing it from IE on the device the cert is placed in the correct store (just clicking it in explorer places it in the wrong store). After doing this voila, Exchange started syncing.

  189. scyost says:

    Hey Brett, could you send me a mail with the details or a copy of the cert? I definitely want to know why it got installed into the wrong store for you. You can mail me through the form here: http://blogs.msdn.com/user/Profile.aspx?UserID=13079

    Thanks!

  190. Anonymous says:

    Wildcard certs are a security nightmare.  STOP USING THEM!!!

    If anyone can get ahold of the private key (I assume most sites running with wildcards have less than adequate security) all they have to do is install the cert and PRESTO!  They are someone from your organization!  Trust them, they have a cert!

    Wildcards lead to phishing and other ph words de jour.

    Knock it off, do it right, and quit bitching to Microsoft because you don’t know how to setup an adequate PKI.

  191. Bobbi says:

    Mark,

    Did you figure it out?  I have a dash and upgraded to WM6 and it won’t connect to the exchange server.  I receive error 0x80072f17

    Anxiously awaiting your findings,

    Bobbi

  192. Dustin says:

    Found an easier way to do this… don’t know if it has been mentioned in the above comments; although I thought I would help.

    I exported the key from Internet Explorer on a current PC that has the self-signed certificate installed on it.

    I then moved the .cer file to the Windows Mobile Device, and had the end user go to My Documents and click the .cer file.

    It installs the certificate and then from there they were able to synchronize with the server.

    It worked for me; so I hope this helps someone out there.

    Dustin

    quicktech

  193. Richard Computer Doctor says:

    Re Dustin’s solution didn’t work for me.  Certificate installs OK but still get same error.

  194. darylrue says:

    1.  Installing root certicate from EAS administrator

    2.  Installing certificate that I am redirected from when going to https://webmail.alegent.org

    SPaddcert would not work but when I clicked on them individually it installed and shows as installed equifax global and local…

    3.  Changing registry setting to secure = 0 from 1 to disable certificate checking all together on the phone under airsync, connections, secure tab.  

    4.  Installing RoadSync from DataViz that shows EAS 2007 support on SP 2003.

    Any insight to how I might be able to use the only windows phone my carrier has to offer would be appreciate.  

    Thanks,

    Drue@alegent.org

  195. scyost says:

    #1 isn’t going to help you – wild card cert support comes in WM6.

    I would expect #3 to work though. (on SP2003, back when that reg key was supported)

  196. Jay Hill says:

    It appears this issue still exists. For the first month after purchasing my Motorola Q with Windows Mobile 5.0, all was working well … until that dreaded day when my IT department renewed the Exchange Server certificate.

    I can no longer synchronize to the Exchange Server.

    The IT departement sent me the main certifcate, but as others have found, I am not able to install the cert. Double-clicking says it is invalid. Running certinst.exe produces "Alert. Invalid certificate" without bothering to ask me which certificate.

    Now that I have the certificate from IT, I have installed this on my laptop.

    Can I use this my lap and installed certificate to create the CAB or XML file? or must my IT department create this from the Exchange server?

    Also, the Verizon cert install program is old and won’t work on my device. Are there any new programs that I can download that will take care of the installation without having to create the CAB or XML?

  197. to the guy with the ‘gasoline analogy’ you’re missing the point. this is like trying to run a gasoline engine on bio diesel. Or better yet trying to run a coal powered locomotive with nuclear fission.

    Apples and oranges, just be lucky there is a way with software that eventually they can make it work (given time and money).

Skip to main content