What Went Wrong?
Once you have provided Windows Phone 7 with all the required information, it should create an Outlook smart tile on the Start screen and then begin synchronizing your mailbox data. Sometimes, though, you may find that the synchronization process fails. When this happens, the problem can almost always be traced to a certificate error.
If you look back at Figure E, you will notice a check box that says Server Requires Encrypted (SSL) Connection. This check box is selected by default because the synchronization process will not be secure unless it is SSL encrypted.
Before the session can be SSL encrypted, a couple of things have to happen. First, the Client Access Server must have a valid X.509 certificate that it can use for SSL encryption.
Second, the Windows Phone 7 operating system has to trust the certificate authority that issued the certificate to the Client Access Server.
If your Client Access Server is using a X.509 certificate that you purchased from a well-known commercial certificate authority such as Go Daddy, VeriSign, or Thawte, ActiveSync should work without any problems. That's because both of the criteria have been met.
The Client Access Server has been provisioned with the necessary certificate, and the Windows Phone 7 operating system trusts the certificate authority that issued the certificate. The reason why the Windows Phone 7 operating system trusts the certificate authority is because Microsoft designed the phone to trust all the major commercial certificate authorities by default.
The problem is that not all Exchange organizations use certificates that were issued by a well-known certificate authority. After all, those types of certificates can be expensive, and there are cheaper ways to get what you need.
Some organizations use the self-signed certificate that is built into Exchange 2007 or Exchange 2010. Although the self-signed certificate can be used to access an SSL encrypted OWA session, it will not work with ActiveSync. Therefore, if you are presently using a self-signed certificate, you will have to use a different type of certificate if you want to be able to use ActiveSync.
Another thing that some organizations do to save money is to configure a Windows server to act as an Enterprise Certificate Authority. Although an Enterprise Certificate Authority can issue the Client Access Server a suitable certificate, Windows Phone 7 will not trust the certificate, which means that ActiveSync won't work until trust has been established.
Previous versions of Windows Mobile contained a Certificates applet that you could use to import a CA certificate, which would allow the device to trust an otherwise untrusted certificate authority. Although this mechanism technically still exists in Windows Phone 7, it is not exposed through the User Interface.
In order to make Windows Phone 7 trust an otherwise untrusted certificate authority, you have to jump through a few hoops. The first thing that you have to do is to set up an e-mail account on the device that does not depend on SSL encryption. For example, you might link a Windows Live Hotmail account to the Phone.
After doing so, you can e-mail the CA certificate to the account that you have set up on the phone. When the message arrives, just open the attachment and the certificate will be installed, and ActiveSync should begin working.
Of course, things are rarely as simple as they seem. There is one major caveat to the method that I just explained. Windows Phone 7 only recognizes two certificate formats: .CER and .PFX. Normally if you export a CA certificate it will be in .CRT format. If this happens, then you must rename the certificate so that it uses a .CER extension.
As you can see, it can sometimes be a bit tedious to configure Windows Phone 7 to synchronize mail with your Exchange Server. Once the proper certificates are in place though, you shouldn't have any trouble. Of course, if using the required certificates is not an option, then you can always attach to Exchange as a POP3 client.