ActiveSync support code 80072F06 - workaround

[FormerPalmOS]

One of my personal goals with a new WM6.1-based phone was to access Exchange Server e-mail. There were a number of issues preventing this from happening. These issues seem common so I'm posting the solutions here. Some of these aren't pretty, and most are band-aids - most of the problems are caused by IT issues with the server and should be fixed by your IT department. However, if the odds of that happening only slightly exceed the odds of the Broncos winning a game this year, read on.

WARNING - you will need to edit the registry of your mobile device. If you do not know how to do this or are not comfortable learning, then stop now. Ignorant registry editing can cause bad things or worse, kill your device causing you to have to hard-reset it and start all over. Make a back-up image of your registry before you change anything. Consider yourself warned!

First, I have discounted any solution that involves bypassing SSL between the mobile device and the server - this is dangerous as an unencrypted connection exposes your user name and password and all of your e-mails to the outside world.

Second, do any testing from a laptop/desktop that is NOT connected to a corporate VPN - you need to replicate the networking environment your phone sees - and your phone will not see a corporate network (unless you have a working VPN connection on your phone).

Third, there are three basic things which must be in place. If any of these are not, then you CANNOT use ActiveSync with Exchange and my rantings here will not help you:

1) Your mobile device must be able to talk to your Exchange or ActiveSync server. This may involve obtaining the right data plan with your carrier, and your server must be open to the outside world for port 443 (SSL) connections. A simple way to check the latter part of this is to see if you can use Outlook Web Access (OWA). You may or may not get server certificate / security issues - but if you do, bypass them for now (we'll fix them later), and if you can access your inbox, then you are half way there. Typically, OWA web address looks something like https://<your server IP address or name>/exchange/<your e-mail user name>.

2) ActiveSync must be installed on the server and configured properly. Only way to test this is to get the rest of this working and see.

3) Your server must have an SSL certificate that includes Server Identification as one of its purposes. Ideally, this certificate was issued by one of the trusted root certification authorities already included in your phone. If not (for example, if it is self-issued) it will create problem #1 below, but there is a work-around. Also, ideally, this name is a Fully-Qualified Domain Name (FQDN) - i.e. server.domain.com, and not a NetBIOS machine name like just server. If not, this will create problems #2 and #4 below and again there is a work-around.

Note - if you have working VPN access from your phone, using server instead of server.domain.com may actually be preferred since your phone will automatically try to establish a VPN connection to talk to server, where it will not automatically do so to talk to server.domain.com.

Now - let's look at the rest of the requirements.

4) The name of the server on the certificate must exactly match the name you enter for the server name when you configure ActiveSync. Server is not the same as server.domain.com. A mismatch here will cause problem #2 below and ActiveSync support code 80072F06.

5) There must be a way to resolve the server name to an IP address (unless you have a working VPN connection). If the server is registered in a national DNS registry (the same thing that allows www.google.com to resolve to an IP address), this is not an issue. If not (which is typically the case), you must tell your phone the IP address of the server. See problem #3 below.

6) Your phone must know the correct connection to use to get to the server. If the server name is a FQDN, the default settings should work. If server name is just a NetBIOS name (i.e. server not server.domain.com) then you will have to change this (problem #4 below). Note - if you have a working VPN, then you should not see problem #4.

Once all of these are in place, you should be able to make an ActiveSync connection.

Problems:

1) Let's say your IT department is cheap and doesn't want to pay for a "real" server certificate issued by someone like Verisign. Instead, they chose to "self-certify". Your phone will not trust that the certifier (your company in this case) is "authorized" to certify that your server is who it says it is. To overcome this, you must add this trust to your phone.

a) Ask your IT department to export a root certificate from the machine used to generate the server certificate. This root certificate should have a .cer filename. This is NOT the same certificate you can get if you try to establish an OWA session with the server.

b) You need to get this file to your phone (storage card works great for this since ActiveSync won't normally let you exchange this type of a file). Using the Windows Mobile file explorer, click on the .cer file and your phone will ask you to confirm if you want to install the certificate. If it blocks you, this may be a show-stopper (i.e. if your phone's policy prohibits you from adding root certificates, you will be stuck unless your IT department gets a real certificate).

c) Double-check that a) your phone imported the certificate and b) that it imported it as a root certificate, not as an intermediate or personal certificate. If it didn't import or if it shows up as an intermediate or personal certificate, your IT department goofed on the export. On your phone, go to Start -> Settings -> System tab -> Certificates. Make sure you don't see the imported certificate (which should have a name you recognize as either your exchange server or some other machine in your domain) as a personal or intermediate certificate. You should see it as a root certificate. BTW - all of the "trusted" certifying authorities that your phone trusts are listed here - a certificate from any one of them will prevent this problem in the first place.

#2) In my particular case, the self-issued certificate listed server (an internal NetBIOS machine name) as the server name, not server.domain.com. This in conjunction with problem #3 meant that a) I couldn't find the server by name since the phone can't resolve a NetBIOS name to a public IP address and b) I couldn't enter the server's IP address into ActiveSync server set-up since that won't match what's in the server certificate. There is no VPN client for our corporate network that will work on my phone - so I have to go over the public internet.

This problem (certificate name doesn't match server name entered in ActiveSync server set-up) is what generates ActiveSync support error 80072F06. The best solution is to re-issue the server certificate with the correct server name (i.e. exactly what you enter in ActiveSync). Ideally, that should be a fully-qualified domain name entry (i.e. server.domain.com) and not a NetBIOS name, unless you are able to connect with a VPN from your phone - in which case a NetBIOS name is actually preferred.

But let's assume for a minute that your IT department is too busy to take the ten minutes to re-generate a correct certificate and install it. This means that whatever the name on the certificate presented by the server during an SSL negotiation is what you must use. The best way to figure this out is to try Outlook Web Access. Internet Explorer will gripe about security errors and give you the option to view the certificate and accept it for a connection. When you view it, look for the "common name" field if viewing the certificate details or the "Issued to" field viewing general certificate information. Write it down. This is what you must enter exactly into ActiveSync, and in the solution to problem #3 below. Let's call this server (instead of server.domain.com).

3) Server name to IP address resolution. Let's assume that your Exchange server is NOT registered in a public DNS. This is actually how it should be for best security. This means you need the public IP address of the server from your IT department. If you can establish a VPN through your phone, you may be able to resolve a NetBIOS name to an IP address once the VPN connection is established. If so, you should not have problem #3.

If you were able to get Outlook Web Access to work from your phone using Internet Explorer or Opera, you probably did it with either an IP address or a FQDN (server.name.com). If it worked with server.name.com that means your server is registered with DNS. If it doesn't work from your phone using a server.domain.com address, try it from your desktop/laptop (make sure you are NOT connected to a VPN). If your laptop/desktop can find server.domain.com but your mobile phone cannot, the most likely reason is that your IT department installed a hosts file on your laptop/desktop. Check in c:\windows\system32\drivers\etc for a file called HOSTS. If you see it there, write down the IP address - you will need it.

Once you have the correct IP address (check by trying Outlook Web Access using the IP address instead of server name), you need to tell your phone that the server name you entered into ActiveSync is this IP address. Windows Mobile doesn't use anything like a HOSTS file - you have to edit the registry.

The key you are looking for is in HKLM\Comm\Tcpip\Hosts. You should already see a key called ppp_peer - leave it alone. Create a new key at the same level as ppp_peer (i.e. a key for the Hosts key) - name this key exactly the same as what you entered into ActiveSync for the server name - which should be exactly the same as what you saw on the server certificate when you tried OWA. For example, if the certificate says the common name is happy, then you will enter happy as the server name for ActiveSync and happy as the value for this new key you are creating. Once the key is created, create a new binary value named ipaddr. For the value of this key, enter the hexadecimal representation of your server IP address. For example, if your server IP address is 96.60.0.11, enter 60 3C 00 0B as the value of the ipaddr key.

4) Server name is a NetBIOS machine name but phone does not have a working VPN connection. When ActiveSync tries to connect to server.domain.com, it uses whatever you have configured on your phone as the active internet connection. When it tries to connect to just server (instead of server.domain.com) it uses whatever you have configured as the active Work connection.

On your phone, go to Start -> Settings -> Connections tab -> Connections. From there you should see two different sets of menus, one for your Internet connection (typically the name of your carrier - like Verizon Wireless or Sprint PCS) and one for your Work connection. If you only see one, then your work connection is already set to use your internet connection and you do not need to do anything else to resolve this problem.

Otherwise, on the Advanced tab, change the setting under "Programs that automatically connect to a private network using:" from whatever it is to the same as the internet connection (which should be right above). Note - this will break anything else that is already set-up for a work connection, like a VPN.

After you have done everything, save everything and soft-reset your phone.

You can check that the above was done correctly by trying OWA again from your phone, using the server name instead of the IP address when you try OWA. If it cannot find the server, either you did the hosts entry incorrectly or the connection setup incorrectly. If your phone complains about certificate errors, then the hosts set-up and network set-up is correct but you didn't exactly match the name of the server in the SSL certificate, or you forgot to install or incorrectly installed or received an incorrect root certificate. If OWA works with no errors, then ActiveSync should work with no errors.

Good luck. I have only gone through this with one device - so I'm trying to generalize as much as possible.