For many employees of a large company having access to email twenty-four by seven (24×7) is what sets them apart from other companies. And for those employees who are away from the office or while traveling on business a connection can be the difference between success and missed deadlines. 

A service that most remote users can benefit from is called Outlook Web Access (OWA) which is a webmail service of Microsoft Exchange Server. OWA provides email functionality and mailbox features such as: Contacts, Calendar, Tasks, Notes and Public Folders. Mobile devices with Outlook Web Access functionality can support many corporate users and provide that valuable connection to corporate email.

Using a web browser on their handheld device users can access their much needed email. But as will often happen with technology Outlook Web Access is not bullet-proof. So administrators can expect to be called upon to solve problems that can come up from time to time when supporting remote users, their handhelds and their web accessible email connections.

One of those problems can involve the 0×80072f0d error code.

Sometimes an end user will call in for support after having tried to make a connection to their email server and then receive the following error message:

“The security certificate on the server is invalid. Contact your Exchange Server administrator or ISP to install a valid certificate on the server. Support Code: 80072F0D or 0×80072f0d”

This Error message can occur during an attempt to synchronize a Windows Mobile-based device by using Exchange ActiveSync for Exchange 2003 or for Exchange 2007 or for Exchange 2010.

What this is indicating is that an intermediate certification authority (CA) certificate is missing either on the device that is initiating the synchronization or is missing on the Exchange Server.

But where does the handheld device obtain the intermediate CA certificate? It would normally be contained in its certificate store but it is usually not shipped with it. The intermediate CA certificate is most often obtained from the Internet Information Services (IIS) but only after IIS has verified the whole certificate chain. The only component of the certificate chain stored in the device’s certificate store is the root certificate. The reason for this certificate download process is to maintain the integrity of the certificate chain.

Oftentimes there can be problems if there are any misspellings in the canonical names in the root certificate. This can lead to errors or problems when end users try to send or receive email from their handheld devices. They may get messages such as:

“The server you are connected to is using a security certificate that could not be verified.
A certificate chain processed, but terminated in a root certificate which is
not trusted by the trust provider. Do you want to continue using this server? Yes or no”

Though the end users are still able to receive their emails it can become very annoying for them to always have to hit or enter “yes” every time they are presented with this type of email download issue.

A last resort solution is to delete and recreate the email account that is having the problem and then to restart the email client such as Outlook.

Another situation where the 0×80072f0d error code can be produced is if either the root CA certificate or the intermediate CA certificate is missing from the certificate store on the server that is running Windows Server 2003. This can also happen if the intermediate CA certificate has expired in the certificate store on the Windows Server.

An administrator can obtain more information about the certificate that is being used by typing the Outlook Web Access (OWA) URL for the server into their web browser. A lock icon may also be presented and then clicked on to gain further access. Additionally, one or more of the certificates in the “Certification Path” may need to be exported in order to complete the process. Also, more information and files may be needed from your certificate vendor in order to perform a complete analysis of all the components involved in the certificate chain.

Other recommended actions for correcting the problem include using a group policy configuration. A group policy configuration can be used to distribute all the certificates that are to be trusted by all members (computers) of the domain.

Another solution is to manually install all the certificates on the Exchange server and verify that the certificates are installed for the local computer account. If the certificates are installed on the server(s) that are being synchronized then those certificates do not need to be installed on their handheld. An administrator can use the “SSLChainSaver” utility to identify any missing certificates.