Can an ALB send SNI to the target group?

Sound alike your performing mutal TLS from the client to the server. If you are you need to use an NLB TCP or and ALB with mtls https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html

Usually a SSL client connects to an ALB and the ALB makes the connection between itself to the target group. The client certificate hello never goes to the server with the standard ALB

If you’re not doing Mtls perhaps you’ve a miss configuration on the target group. You could be trying to use tls on a http port otherwise.

Gary, Thank you for taking the time to try to help. I want to use the ALB because it will allow me to use a WAF. The Windows Server 2022 target works with SSL from everywhere except from the ALB. After spending may hours with Wireshark, the only thing I can point to is the missing domain name in the Client Hello. The server refuses to send a Server Hello to the ALB and instead sends an RST. I have tried selecting the mTLS option and it does not make a difference.

I cannot find any reason why the ALB should not work with a standard Windows EC2 instance, but it just does not. This exact configuration was working as expected with Server 2012.

Again, thank you for your reply.