Hmm, did this about half a year ago and didn't blog about it... stupid, because now I had to figure it out again. The unfortunate event was the phone on my PDA (T-Mobile MDA Vario II) had a bit of a malfunction. It either didn't connect to the GSM-network or when it did, calls would be disconnected after a couple of minutes. So I called T-Mobile and after having determined the problem was the phone (not the SIM), they collected it for repair. Naturally, I made a backup of my personal stuff and then removed the personal stuff and security settings from the device before it was picked up (hey, I do security training occasionally).
Well today I got my device back... software update, all information gone (but I have a backup)... I just had to restore my stuff and configure network settings and Exchange synchronization again. No problem until: 0x80072FD; indicating the certificate on the Exchange Server (my Small Business Server) was invalid.
The solution is to add my SBS self-signed certificate to the trusted root certificates of the PDA. How?
Well first make sure you environment is set up for synchronization. Not my issue, but it never hurts to check on it. See Petri for the overview.
Now obtain your SBS self-signed certificate, in all cases this will be located on the virtual directory Exchange on your web server. From IIS Manager you can directly export the certificate (without private key) to the required DER encoding. Execute following steps, which are derived from kb841060:
- Export the root certificate to a computer that is running Microsoft Windows in DER encoded binary X.509 format with a .cer file name extension.
- Create a root-folder Storage on the Windows Mobile device.
- Download and extract SmartPhoneAddCert.exe package on your Windows Computer.
- Use ActiveSync (Windows XP and earlier), Windows Mobile Device Center (Windows Vista) or the storage card to transfer the DER-encoded certificate and the SPAddCert.exe (from the downloaded package) to the \Storage folder on your Windows Mobile device.
- On your Windows Mobile device, start SPAddCert.exe from the \Storage folder. It will give a warning that the application is not verified (or something the likes), ignore the warning and proceed. The application will now show you the certificate you exported, continue by confirming all actions.
- Restart your device.
You can check the trusted root certificates under Settings, System, Certificates, Basic (in my case (Dutch) Instellingen, Systeem, Certificaten, Basis). After executing above procedure you should see the SBS-cert here.
I'm not sure if Windows Mobile 5 really required the restart, but that's because before I restarted I received the error 0x85010014 from ActiveSync on my SmartPhone. After restart (still the same error) it turned out to be a connection issue. Due to firewall restrictions I had to use another interface on my multi-homed SBS Server (hey, it's been a couple of months!!).
Next error I encountered from ActiveSync was 0x85020013, but since I had that funny feeling I mistyped my password (big fingers, small keys), that one was quickly resolved.
Device details:
Windows Mobile 5.1.195 (Dutch)
T-Mobile MDA Vario II (device modelnr: HERM300)