Introduction
SNI stands for Server Name Indication, an improvement to the SSL/TLS protocol recently added to Windows (from Windows Server 2012/IIS 8). Its purpose is to allow using multiple SSL certificates on the same web server’s IP address and port. In a certain sense, you could say it is to HTTPS what host header is to HTTP. Similarly to host header, this feature must be implemented in both client and server sides because it relies in additional information’s passed as part of the SSL handshake process initiated by the client. As consequence, older browsers (as well as older client applications in general) are not compatible.
The Problem
Now SharePoint comes into the picture. One key client functionality is the Explorer View exposed by Windows WebDAV Client. Although Microsoft continuously updates its browser, the WebDAV client did not recently receive any update to support SNI. Therefore, if you configure SharePoint together with IIS to use HTTPS using SNI, Windows Explorer browsing SharePoint will simply stop functioning displaying an error such as “A device attached to the system is not functioning”. The problem will sadly occur with Windows 8 as well but is fixed from Windows 8.1.
Workarounds
There is currently no real solution and very few workarounds:
- On IIS: Use unique combination of web application, certificate and IP address and/or port. Every time a new web application is created on SharePoint, you will have to reconfigure it on each server in the IIS configuration in order to use another IP address or another port.
- On Windows/HTTP.sys driver: Use a fallback certificate. This blog post details the procedure to do so: How to support non-SNI capable Clients with Web Application Proxy and AD FS 2012 R2
- On a hardware load balancer: identically to what can be done on IIS, a unique virtual IP address for each web application together with its own certificate can be used. On the SharePoint side, you can whether use no certificate at all or a used self-signed one.
More Information
- Wikipedia: Server Name Indication. The “No support” section specifically.
- Unleashed Blog [MSFT]: Server Name Indication (SNI) with IIS 8 (Windows Server 2012)
- Unleashed Blog [MSFT]: SSL Scalability with IIS 8 (Windows 8 Server)
- Yaminij’s Blog [MSFT]: SNI (Server Name Indication) Readiness Tool
- Application Proxy Blog [MSFT]: How to support non-SNI capable Clients with Web Application Proxy and AD FS 2012 R2