This issue involves SharePoint 2016 web application request failure (no access) due to failure of the SharePoint 2016 Request Management Service’s SPING over TLS.
The farm is currently operational without the Request Management service running. Since this is a small high availability farm (4 nodes = 2 WFE-DistCache + 2 App-Search), we seem to be operating fine without Request Manager, however we could potentially use it in the future, and would like to know:
1) Why is the service failing over TLS, and how can we resolve the issue?
2) Secondarily, what are the implications of operating without it? For example, is there still internal load balancing of service application requests?
Here’s some background description of the environment and issue.
1) The server farm resides within a restricted DMZ. There are no port blocks within the single VLAN where the SharePoint servers reside, however between VLANS such as that to the database tier and Internet are highly restricted. There are also highly restricted group policies and McAfee HIPS software.
2) The servers are all Windows 2016, IIS 10, SP2016. Schannel settings restrict transports to TLS 1.1 and above with cipher restrictions as well. RC4 is all blocked.
3) Request Manager works AOK when the site bindings are HTTP:80. Request Manager fails only when site bindings require HTTPS:443. The certificates used are all valid with valid certificate chain and trust between servers and within the farm.
4) Basis for determining Request Manager failure is:
a. Sites don’t work when Request manager is enabled with HTTPS bindings.
b. Numerous Event 8317, SharePoint Foundation errors …. General error description: ‘ServerHostName (Web App(IIS Site root))’ failed ping validation and has been unavailable since ‘Time’.
c. Also several Event 8311, SharePoint Foundation … General error description ‘An operation failed because the following certificate has validation error’ (Certificate identity with thumbprint) “Errors: SSL policy errors have been encountered. Error code ‘0x2’
Really appreciate any thoughts on this. We’re having trouble finding good documentation on Request Manager and see some BLOG evidence that maybe Request Manager simply does not work over TLS. It seems more likely that somehow the restrictions in our environment cause the SPINGs to fail server-to-server, but it’s not clear why since we do not know enough about SPING or what certificate checks and cipher handshake may be taking place. Also, aside from some of the obvious features for controlling requests, we don’t understand why we should really care about Request Manager.