Securing OMA Access

We'd like to let our Outlook Mobile Access (OMA) users automatically log on to OMA—by setting up logon URLs with the format username:[email protected]/oma—instead of making users type in their username and password each time they log on. We tried to set up this type of OMA access, but it doesn't work. Do you have any suggestions?

Yes: Don't even try to do it. Embedding the user's credentials in a URL as you describe might work for some applications, but it's a terrible idea for OMA, which takes users' domain usernames and passwords. Putting those into a URL means that they'll be all over Web server and proxy logs (and probably other places) along the path between the OMA device and your server. The security exposure of this approach is self-evident. To make things worse, the approach isn't supported, and hasn't been tested, by the Exchange Server product group.