Many people have reported problems when they try to sync their cell phones with their Exchange servers.

When they try to sync with MS Exchange Server 2003 using Windows Mobile 5.0 they might get the following error code: 0×80072f17. Some users have also reported problems when trying to sync with MS Exchange Server 2007.

This problem is usually associated with using Secure Socket Layer (SSL) certificates.

Remember that you use SSL for Internet protocols such as Network News Transfer Protocol (NNTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol version 3 (POP3), and Internet Message Access Protocol (IMAP).

The SSL authentication method uses public/private key technology to ensure privacy. The SSL protocol resides at the Open Systems Interconnection (OSI) presentation layer and moves data from the application layer to the TCP transport layer. It is responsible for authentication, encryption, and verification of data integrity.
The authentication function assures that the data is being sent to the correct server and that the server is secure. Encryption ensures that data cannot be read by anyone other than the target server. Data integrity ensures that the data has not been corrupted or altered in transit.

If your user removes the SSL authentication then they’ll probably be able to synchronize their phones with the server. But that’s probably not how you want them to operate. Even if you directly install the certificate you may still have problems. Checking or un-checking the proxy settings related box does not have an effect on the problem.

One solution to this problem is to reissue the SSL certificate through Internet Information Services (IIS). This can happen if you were using the original certificate the Exchange Server installed and the certificate was replaced.

Another possible cause for the 0×80072f17 error is if an unsupported certificate has been installed. If you installed a certificate that supported wildcards from a certifying digital certificate provider, then this certificate will probably install but using the certificate was most likely not supported. To fix this problem you can replace the certificate with one that does not use wildcards and is listed in the root certificate store on the device.

Another situation when the problem can occur is when Microsoft Exchange does not connect but generates another error code: 0×80072EE7. Selecting another system to synchronize with will result in a related synchronization error message such as when the Microsoft Exchange server shows “Synchronization could not be completed. Try again later”. The support code generated by the system is: 0×80072F17.

You might need to add a new certificate to your device. Such as when your SSL certificate issuer on the Exchange Server is new to the business or has made some changes.

Here’s how you can enable and disable Outlook Web Access for internal clients:

If you are using Microsoft Exchange Server 2003 Service Pack 1 (SP1), the following steps do not apply. The Web DAV address check is not present in Microsoft Exchange 2003 Service Pack 1.

To restrict access to Outlook Web Access if you are using Exchange Server 2003 SP1 or later, follow these steps:

1. In the Active Directory Users and Computers snap-in, right-click the user account that you want to restrict from using OWA, and then click Properties.
2. Click the Exchange Features tab, click Outlook Web Access, and then click Disable.

By default, user accounts that are mailbox-enabled are also enabled for Outlook Web Access in Exchange Server 2003.

You can enable users in your corporate network to access Outlook Web Access. At the same time, you can deny access to external clients. The key to this approach is a combination of a recipient policy and a special Hypertext Transfer Protocol (HTTP) virtual server.

To use this approach, follow these steps:

1. Create a recipient policy with a Simple Mail Transfer Protocol (SMTP) domain name. Users who connect to an HTTP virtual server must have an e-mail address with the same SMTP domain as the virtual server. Creating a recipient policy is an efficient way to apply the same SMTP domain to multiple users. (Note Outlook Web Access users do not have to know the name of the SMTP domain.)
2. Apply the recipient policy to the user accounts that you want to enable access for.
3. On the front-end server, create a new HTTP virtual server that specifies the domain that is used in the recipient policy.

After you have completed these steps, users whose e-mail addresses do not have the same SMTP domain as the HTTP virtual server cannot log on and access Outlook Web Access. Also, as long as you do not use the SMTP domain as the default domain, external users cannot determine what the SMTP domain is because the domain does not appear in the From field when users send e-mail messages outside the organization.

For more information, review the following article number in the Microsoft Knowledge Base:  293386  HTTP 401 or 404 error messages when you access OWA implicitly or explicitly.

Besides enabling Outlook Web Access for users in your corporate network, you can also prevent specific internal users from accessing Outlook Web Access. You do this by disabling the HTTP and Network News Transfer Protocol (NNTP) protocols for those users.

To prevent an internal user from accessing Outlook Web Access, follow these steps:

1. In the Active Directory Users and Computers snap-in, open the user’s Properties dialog box.
2. On the Exchange Features tab, click Outlook Web Access, and then click Disable.
3. Restart the IIS Admin Service.