Exchange ActiveSync/Windows Phone Outlook Error 80072F0D

When you are connecting a Windows Phone device to an Exchange server using ActiveSync for the first time you may encounter the following error:

Outlook Error

Not updated

There is a problem with the certificate for mail.exchangeserverpro.net. Contact a support person or your service provider.

Error code: 80072F0D

 

This error can occur when the root certificate authority that generated the SSL certificate being used by the Exchange server is not trusted by the Windows Phone device.

This will commonly occur with Exchange servers that are still configured to use a self-signed certificate, or that have a certificate issued from a private CA.

There are a basically two ways to resolve this issue.

Install an SSL Certificate from a Trusted Certificate Authority

If you install an SSL certificate from a certificate authority that is already trusted by the Windows Phone device you will avoid this error when you’re configuring the device for ActiveSync. You’ll also avoid certificate related errors for other service such as Outlook Web App and AutoDiscover.

I generally go with Digicert for Exchange SSL certificates, however you can choose another provider if you wish. Microsoft has published this list of certificate authorities that are trusted by Windows Phone (PDF).

Install the Root Certificate on the Windows Phone Device

If you can’t, or won’t, acquire an SSL certificate from a trusted CA then you can also install the root certificate onto your Windows Phone device so that SSL certificates from that CA will work.

This is fine for test lab or training scenarios but I do not recommend it for production environments.

If you’ve used a private CA to issue your certificate you can download the root certificate from the web enrolment page on the CA.

Download the CA certificate in DER format to your computer.

Next you need to get the certificate onto the Windows Phone device. You can do this in two ways:

  1. Host the certificate file on a website and browse to the URL from the Windows Phone device
  2. Email the certificate file to a service such as Gmail or Hotmail and download it to the Windows Phone device

You can either access the email service via it’s web interface, or set it up in the Windows Phone Outlook client to download the email to the device.

 

When you open the certificate file from the web server or email the device should prompt you to install it.

After the root certificate is installed you should be able to successfully connect to the Exchange server using ActiveSync without any SSL errors.

About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Connect with Paul on Twitter and Google+.

Comments

  1. Hi, thanks for this article. I have run into this on a few Windows phones we have however we have a wildcard cert from digicert and it only happened a handful of our Windows phones. On a couple of them “Allow Inheritable Permissions” was not checked in AD for the users account and on the rest I had to break the partnership with Exchange and re-add the activesync account. This did however only happen on Windows phones, not iphones or androids. Thanks.

  2. Great article, although I’m a little unclear on a few points due to my general lack of understanding when it comes to certificates, the different types, and how they work under the hood.

    One question for you: Is it possible to encounter the 80072F0D error you mentioned with a good certificate installed? We run an Exchange 2003 server which recently had its certificates replaced (vendor was Symantec/Verisign), after which we started seeing a lot of intermittent certificate warnings on some Windows browsers and mobile devices (mainly Windows mobile devices, I believe). Basically these PCs and mobile devices were seeing warnings stating that the certificate was not trusted; however, most systems connected and continue to connect just fine.

    Since the expiration date of the original SSL certificate has expired, I know that for the systems that continue to work, the new certificate is definitely in effect.

    So in my case, it’s not a matter of a self-signed certificate or a ‘bad’ certificate causing problems across the board, but rather a new 3rd party certificate that seems to work perfectly in most cases not working on some seemingly random PCs and mobile devices.

    With all that info, any idea what might be the culprit in a situation such as this? So far all the articles I’ve read haven’t quite applied to this scenario, but rather are geared towards bad or self-signed certs.

    Any ideas you’ve got are definitely appreciated.

    Thanks,
    Bob

    • Check with Verisign, you may find that there is one or more updated intermediate certificates that need to be installed on the Exchange server itself. I’ve seen that a few times with new cert issues and older systems.

Leave a Comment

*

We are an Authorized DigiCert™ SSL Partner.