Posted by: Anthony Drewery | November 10, 2005

Windows Mobile 5.0 & ActiveSync

We have a few Windows Mobile 5.0 devices appearing and need to get them hooked up to our Exchange 2003 system. We have the infrastructure already in place as we use Outlook Web Access and Outlook Mobile Accesss. We have our front-end servers load balanced and port 443 mapped through from the outside world.

Like its predecessor Windows Mobile 2003, WM 5.0 lacks a wide selection of trusted root certificates installed by default. If you’re using a non-maintream or self-issued certificate you’ll need to do a little extra configuration to get ActiveSync working over the air. With WM 2003 there was a tool to disable certificate checking but it’s not compatible with WM 5.0. Instead follow these instructions:

  • In Internet Explorer go to your Outlook Web Access site and ensure your certificate is installed. To check the name of it you can double click on the padlock icon in the bottom right of the browser.
  • Now in the Internet Options in IE go to the Content tab and click the Certificates button.
  • Now go to the Trusted Root Certificate Authorities and find your certificate.
  • Select the certificate and click on the Export button. Follow the wizard and select ‘DER Encoded Binary x.509’ when prompted.
  • Choose a suitable file name and finish the wizard.
  • You’ll now need to copy the exported certificate to your PocketPC device either via a memory card or by USB. Once it’s on your PPC simply tap it with the stylus and follow the prompts to install it.
  • With the certificate successfully installed you should be able to synchronise over the air.


    1. nice, it seems that this worked and i was able to apply my certificate correctly to the device, however active sync over usb still doesn’t seem to want to happen (haven’t tried wap access yet).
      it seems that my problem might still be that i don’t have an exchange server “trusted” certificate. could this be? everything that i have read about my problems thus far seem to point to this being the issue.
      thank you.


    2. What errors do you get when you try ActiveSync over USB? Does syncing over the air work correctly? Have you tried upgrading to ActiveSync 4.1 as it fixed a bunch of ‘quirks’ with the version that shipped with the WM 5.0 devices. You can get it here:

    3. If you’re using Active Sinc 4.1 all you need to to is follow the help “Connect to a network or the Internet through ActiveSync”

      Use ActiveSync to “pass through” this computer. That means the connected device can use the computer’s network connection as if it were its own. You can use this feature to perform tasks such as downloading non-Outlook e-mail messages, to connect directly with Exchange Server, or to browse the Internet.

      Important Note For additional security, disable network bridging on the PC (specifically, bridging to a Remote NDIS adapter) before connecting to the PC to pass though to the Internet or a network. For more information on network bridging, see Windows Help on the PC.

      Click Connection Settings.
      Select Open ActiveSync when my device connects.
      In the This computer is connected to list, select a connection to which this computer should connected when passing through ActiveSync.

    4. Hi!
      I coul install the cert without problems but the active sync tells me that the certifcate is invalid. Code 0x80072F0D. Any ideas?

    5. Hi Phil,

      I am facing the same, I could install the cert without problems but the active sync tells me that the certifcate is invalid. Code 0×80072F0D. Any ideas?

    6. We have the same issue here… even tried installing an intermediary cert (Starfield) from the exchange box in addition to the “regular” cert, but still getting 0×80072F0Dx. Haven’t tried a sync over the air, but USB still gives us this same issue

    7. It’s what it says… it’s not valid. It has to be trusted for it to work.

    8. Worked perfectly Thanks !!!

    9. I have the same problem. We don’t have the possibility to use Autorized CA, anyone have some idea?

    10. Did you export the cert in base64 format? All other formats are not
      supported on the Pocket PC or Smartphone.

    11. Worked great. But if you’re using Windows Mobile 5.0, don’t export in base64 format – be sure to use “DER Encoded Binary x.509” as suggested above.

    12. Aha! For those using Starfield (GoDaddy) issued certs, you must install the ValiCert root certificate. To download the ValiCert root follow the first 3 steps above to get to your installed certificates. Next view the certificate for your OWA server. Click the Issuer Statement button. You should be taken to a page with all sorts of ValiCert info and options. Near the bottom of the page is a CER file in DER format. Download and copy to your WM device. Install the cert by double-tapping in File Explorer or equivalent. That’s it!

      This worked perfectly for me and I can now securely sync via ActiveSync over USB or OTA.

    13. Hi, I get an error message when i try to install the certificate on my PPC: “Security permission was insufficient to update your device”

    14. I am having the same problem as above. I exported the cert and installed it on my treo700 and I still get the 80072F0D certificate error. I’ve tried everything I can find and nothing seems to work.

      I am connecting via USB on my laptop.

      Any other suggestions…

    15. Finally got my Orange M600 to do the active synch dance. Mucho thanks to all!

      Had to get the root certificate (in DER format) exported from my Domain controller not just the one that is displayed by Iexplorer when browsing the OWA pages. After I got both certs installed onto the phone, I could browse to OWA on the phone without any cert prompt and active sync works beautifully!!

    16. Did the steps above, but still not working. How important is it to have both certificates (from the browser and from the server installed on your device. We all sync OTA, not via USB, but all get the same notification.
      Supplier does not come with answers. Please help!!

    17. I’m also having the same issue. What is the “domain” cert mentioned above?

    18. one thing to note with Starfield certificates – you’ll need to export 3 cer files: the site, the intermediate and the root
      1. follow the above directions to get your site cert.
      2. click the “Certification Path” tab and select the intermediate certificate – in the tree structure, it’s the one just above your site (i.e. the parent). use the above directions to export the cer file
      3. still in the “Certification Path” tab, select the root certificate – in the tree structure it’s the next one up (i.e. the grandparent). use the above directions to export the cer file.

      Windows mobile 5 and above may already have the root certificate from Starfield… so really the trick is to get the site cert AND the intermediate cert.

    19. If people still have trouble with the 80072F0D error try this.

      On the server, goto DOS prompt: locate C:\program files\IIS Resources\SelfSSL\

      Run the following command (selfssl.exe /? shows help) : selfssl.exe /k:1024 /v:1825 /s:1 /p:443 /

      1825 days is valid for 5 years!

      Then export the cert. from the IIS MMC, standard website, properties, directory security, show cert., tab details, copy to file, next, no, choose DER (.cer file). Copy the file to PDA and doubleclick in explorer(on PDA) so it will be imported.

      All should work again.

    20. Thank you, it works fine with SBS2003/Exchange and HTC/TYTN WM5 (5.1.465).

    21. Thanks alot !

      In 546879652 words Microsoft are not able to explain this.

    22. worked perfectly on HTC Touch Cruise, WM6

    Leave a Reply

    Fill in your details below or click an icon to log in: Logo

    You are commenting using your account. Log Out /  Change )

    Google photo

    You are commenting using your Google account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s


    %d bloggers like this: