How to Setup IRM in a DMZ


  • I'm setting up Sharepoint Foundation to use a different IRM but am receving an error when I submit the FQDN of our AD RMS server. 

    I had setup the first RMS and it was working with SharePoint, but I removed the RMS Role and added it again.  Now I cannot submit the new FQDN in SharePoint.

    Attached is my exisiting and "working" network configuration.

    The error message on SharePoint Configuration Manager that I receive is..

    "The required Window Rights Management client is present but the server refused access.  If you are switching from one RMS server to a different RMS server, be sure you have setup a trust relationship between the two.  IRM will not work until the server grants permission."

    I have already given the Web Applicaiton Pool (spFarmAcc) account Read&Execute access to ServerConfiguration.asmx.

    I have tried setting up an RMS server on the LAN and one on the DMZ with the same error result.

    When I review the IIS logs this is what I see.. POST /_wmcs/licensing/publish.asmx - 80 Windows+Rights+Management+Client 401 2 5 POST /_wmcs/licensing/publish.asmx - 80 MyLAN\spFarmAcc Windows+Rights+Management+Client 500 0 0

    Robert Arroyo

    Wednesday, April 04, 2012 9:25 PM

All replies



    According to my analysis, please try the following steps to fix the issue:

    delete stored licenses

    1. Stop the SharePoint server 2010 Web application by running the following command at the command prompt.

    iisreset /stop

    2. On the SharePoint server 2010 front-end Web server, navigate to the %allusersprofile%\Application Data\Microsoft\DRM\Server\ folder

    3. Delete all folders named after the SharePoint server 2010 application pool identity account. The application pool identity is the user account that SharePoint server 2010 is running under.

    Or perform these steps:

     1. Go to the certification folder under inetpub/_wmcs

    Give “everyone” read access and propagate that down (some files don’t inherit permissions)

    2. Same thing but more secure – servercertification.asmx needs to be changed so that the machine account (computer$) has read


    Rock Wang

    Rock Wang TechNet Community Support

    Thursday, April 05, 2012 12:43 PM
  • Only ServerCertification.asmx should have Inherit permissions enabled, then the Central Admin/Web Application accounts should have Read & Execute permissions on that file as well.  No other accounts are required.

    Thursday, April 05, 2012 1:09 PM
  • My research is pointing me in the direction of leveraging Active Directory Federated Services (ADFS) to create a Federated Trust between my DMZ and LAN Domains.  If anyone can share their experience with setting up ADFS in this configuration that would be helpful.

    Robert Arroyo

    Wednesday, April 11, 2012 2:18 PM