Azure Bot not joining meeting - Server Internal Error. DiagCode: 500#1203002.@

To make it easier to identify the issue, here are some excerpts from the logs:

Logs after joining the meeting:

@guoxl - Thanks for bringing this issue to our attention.
Based on your detailed setup and the error code 500#1203002, this is a Microsoft Teams Real-time Media Platform connectivity issue. The error indicates the Teams media service cannot establish a secure connection to your media endpoint.

Root Cause Analysis

Error 500#1203002 typically means:

• Media platform connectivity failure
• Certificate/TLS handshake issues
• Network routing problems between Teams and your media endpoint
• Protocol mismatch in media negotiation
  
  

Critical Issues in Your Setup

1. Media Platform Configuration Issues

Problem: Your ServiceFqdn and certificate don't match your Nginx configuration.

Current Setup:
ServiceFqdn = "media.bottest.com"  // But Nginx serves signaling.bottest.com

Corrected Configuration:
var mediaPlatformSettings = new MediaPlatformSettings
{
    ApplicationId = _botConfig.MicrosoftAppId,
    MediaPlatformInstanceSettings = new MediaPlatformInstanceSettings
    {
        CertificateThumbprint = _botConfig.CertificateThumbprint,
        InstanceInternalPort = 8445,
        InstancePublicPort = 14217,
        InstancePublicIPAddress = IPAddress.Parse("18.181.xx.xx"),
        ServiceFqdn = "signaling.bottest.com" // ✅ Match your Nginx server_name
    }
};

2. Nginx Configuration Problems

Issue: Missing UDP support and incorrect SSL configuration for media.

Corrected Nginx Configuration:

# /etc/nginx/nginx.conf
events {
    worker_connections 1024;
}

http {
    # Signaling endpoint (HTTPS)
    server {
        listen 443 ssl http2;
        server_name signaling.bottest.com;
    
        ssl_certificate     /path/to/fullchain.pem;
        ssl_certificate_key /path/to/privkey.pem;
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA;
        ssl_prefer_server_ciphers off;
        ssl_dhparam /path/to/dhparam.pem;

        # Important: Add these headers for Teams compatibility
        add_header Strict-Transport-Security "max-age=63072000" always;
        
        location / {
            proxy_pass         http://127.0.0.1:5001;
            proxy_http_version 1.1;
            proxy_set_header   Upgrade $http_upgrade;
            proxy_set_header   Connection $connection_upgrade;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Proto $scheme;
            proxy_cache_bypass $http_upgrade;
            proxy_read_timeout 86400;
        }
    }
}

# Media endpoint (TCP/TLS)
stream {
    # Connection upgrade mapping
    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }

    upstream media_backend {
        server 127.0.0.1:8445;
    }

    server {
        listen 14217 ssl;
        
        ssl_certificate     /path/to/fullchain.pem;
        ssl_certificate_key /path/to/privkey.pem;
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers on;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;
        
        proxy_pass media_backend;
        proxy_timeout 1s;
        proxy_responses 1;
        proxy_bind $remote_addr transparent;
    }
}

3. Certificate Issues

Problem: Certificate chain and validation issues.

Required Certificate Setup:

# Verify certificate chain
openssl x509 -in fullchain.pem -text -noout
openssl verify -CAfile chain.pem fullchain.pem

# Certificate must include:
# - Subject: CN=*.bottest.com
# - Subject Alternative Names: signaling.bottest.com, media.bottest.com
# - Full certificate chain including intermediates

Install Certificate Properly:

# PowerShell on Windows Server
$cert = Import-PfxCertificate -FilePath "certificate.pfx" -CertStoreLocation "Cert:\LocalMachine\My" -Password (ConvertTo-SecureString "password" -AsPlainText -Force)
$thumbprint = $cert.Thumbprint

# Verify certificate is accessible
Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object {$_.Thumbprint -eq $thumbprint}

4. AWS Security Group Configuration

Required Ports:

# Inbound Rules
HTTPS    443    0.0.0.0/0           # Signaling
TCP      14217  0.0.0.0/0           # Media (TLS)
UDP      14217  0.0.0.0/0           # Media (DTLS) - IMPORTANT!

# Outbound Rules  
All Traffic  0.0.0.0/0             # Allow all outbound

5. Windows Server Configuration

Required Services and Ports:

# Disable Windows Firewall completely for testing
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

# Enable required Windows features
Enable-WindowsOptionalFeature -Online -FeatureName IIS-WebServerRole
Enable-WindowsOptionalFeature -Online -FeatureName IIS-ASPNET45

# Verify port binding
netstat -an | findstr ":8445"
netstat -an | findstr ":14217"

Could you review the points above and let us know if you encounter any issues?