Tuesday 27 July 2010

SBS – ActiveSync Error 0x80072F0D – Security certificate is invalid

As we go through the current SBS v7 migration we have hit a few different issues.

This SBS is using a GoDaddy certificate where everything is seemingly set up correctly, but ActiveSync does not agree.

Microsoft Exchange

Result:
The security certificate on the server is not valid. Contact your Exchange Server administrator or ISP to install a valid certificate on the server.Support code: 0x80072F0D

So far, we have ran through and verified that the GoDaddy certificate and Intermediate Certificate Authority certificates are installed correctly.

We set up a test e-mail account to help with our troubleshooting using the Microsoft Exchange Remote Connectivity Analyzer.

image

This is the result:

image

When we drill into the Test Details section to come up with the reason we see:

image

Validating certificate trust for Windows Mobile Devices

Certificate trust validation failed.
Additional Details

Missing intermediate certificate in Certificate Chain. Subject = SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US, See KB 927465 for more details.

The process that we went through to make sure that SBS v7 had its certificate hierarchy in place was the following:

  1. Open the Certificates.msc that is found on the desktop.
  2. Open the Certificates folder under Intermediate Certificate Authorities folder.
  3. Delete any GoDaddy certificates in that folder only.
  4. Download the following certificates from GoDaddy’s Repository site:
    1. gd_cross_ntermediate.crt
    2. gd_intermediate.crt
  5. In the Certificates console:
    1. Right click on the Intermediate Certificate Authorities root folder and Import.
    2. Import the gd_cross_ntermediate.crt _first_
    3. Import the gd_intermediate.crt _second_
  6. In the Personal –> Certificates folder
    1. Verify that the needed GoDaddy certificate is properly keyed.
    2. Delete any GoDaddy certificates that are not needed.
  7. IIReset from an elevated command prompt.

Once we cleaned things up our ActiveSync connection test was successful:

image

Note that we are using a test user account that was created just for this task. Once we have all of our troubleshooting issues taken care of we will delete this account.

The KB referenced in the above failed test results:

Note that if ISA/TMG is running in front of the SBS network that the OS ISA runs on top of must also have the intermediate certificates installed according to the above instructions.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

No comments: