Problem:

If you have multiple EMF machines (multiple databases), you must use special procedures to set up a new SPN link between your site and a new SPN partner.

Resolution:

A) If you are using SQL replication:

1. Either you or your new SPN partner can initiate the SPN link request. If you initiate the request, it should be initiated from the publisher.
2. If the SPN Link Request or Response comes into one of your subscribers, EMF implements special logic to automatically push the request/response to the publisher, as if the request/response had come into the publisher. You must:
   
   a) have your DBA ensure that the SQL processes on the subscribers have permission to write to the publisher database
   
   b) have your network admin make sure all SQL ports are bi-directionally open between the subscribers and the publisher
   
   NOTE: If it is not possible for security reasons to implement (2a) and/or (2b), you must temporarily stop the EMF relay service on the subscribers so that your load-balancing will route the SPN request/response into the publisher.
3. Process the SPN request/response from the partner as usual on the publisher. You can use the related knowledgebase article as a reference: Summary of SPN setup steps (101635).
4. The SPN setup will replicate to the subscribers.
5. If you stopped the relay service on the subscribers in step (2), you can restart them now.
6. Wait about 24-hours for all non-SPN mail from the partner to come into your servers. Then you can optionally enable the "Require SPN" option on the partner's domain record (done on the publisher).

B) If you are not using SQL replication:

1. Designate one of your boxes as the "primary".
2. If this is your first SPN, create your local SPN certificate on the primary. Then you must use the EMFSave utility to backup/restore the Security Data + Private Keys from the primary to all secondary servers, so that all secondary servers have a copy of the SPN public and private keys.
3. Arrange with your new SPN partner for you to send out the SPN link request.
4. Stop the EMF relay service on all secondary servers, so that your load-balancing will route all mail temporarily through the primary.
5. Generate the SPN request on the primary.
6. Process the SPN response on the primary, creating a domain record for your SPN partner. You can use the related knowledgebase article as a reference: Summary of SPN setup steps (101635).
7. Use EMFSave to backup/restore the Directory Data and Security Data from the primary to all secondary servers. This will copy the SPN partner's certificate and domain record data to all secondary servers.

   You also have the option, instead of using EMFSave, to configure the SPN manually on each secondary server as follows:

   • Export the partner's SPN certificate from the primary.
   • Import the partner's SPN certificate into the secondary's EMF S/MIME Certificates folder.
   • Open the certificate, and make sure it is unconditionally trusted. Save.
   • Create a domain record in your EMF External folder for your SPN partner.
   • Check the "Use SPN" option on the domain record.
   • Associate the certificate to the domain record, and make sure "Use for Encryption" is selected.
   • Save the domain record.

    

8. Restart the EMF relay service on the secondary servers.
9. Wait about 24-hours for all non-SPN mail from the partner to come into your servers. Then you can optionally enable the "Require SPN" option on the partner's domain record on all servers.