Forum Discussion

guoxl's avatar
guoxl
Copper Contributor
Sep 30, 2025

Azure Bot not joining meeting - Server Internal Error. DiagCode: 500#1203002.@

This problem has been bothering me for about two weeks and I haven’t found a solution yet. I’d really appreciate your help.   Environment Setup 1.Development Tool: Visual Studio 2022   2.Deploym...
developer
Nivedipa-MSFT's avatar
Nivedipa-MSFT
Icon for Microsoft rankMicrosoft
Oct 01, 2025

@guoxl - Thanks for bringing this issue to our attention.
Based on your detailed setup and the error code 500#1203002, this is a Microsoft Teams Real-time Media Platform connectivity issue. The error indicates the Teams media service cannot establish a secure connection to your media endpoint.

Root Cause Analysis

Error 500#1203002 typically means:

  • Media platform connectivity failure
  • Certificate/TLS handshake issues
  • Network routing problems between Teams and your media endpoint
  • Protocol mismatch in media negotiation

Critical Issues in Your Setup

1. Media Platform Configuration Issues

Problem: Your ServiceFqdn and certificate don't match your Nginx configuration.

Current Setup:
ServiceFqdn = "media.bottest.com"  // But Nginx serves signaling.bottest.com

Corrected Configuration:
var mediaPlatformSettings = new MediaPlatformSettings
{
    ApplicationId = _botConfig.MicrosoftAppId,
    MediaPlatformInstanceSettings = new MediaPlatformInstanceSettings
    {
        CertificateThumbprint = _botConfig.CertificateThumbprint,
        InstanceInternalPort = 8445,
        InstancePublicPort = 14217,
        InstancePublicIPAddress = IPAddress.Parse("18.181.xx.xx"),
        ServiceFqdn = "signaling.bottest.com" // ✅ Match your Nginx server_name
    }
};

2. Nginx Configuration Problems

Issue: Missing UDP support and incorrect SSL configuration for media.

Corrected Nginx Configuration:

# /etc/nginx/nginx.conf
events {
    worker_connections 1024;
}

http {
    # Signaling endpoint (HTTPS)
    server {
        listen 443 ssl http2;
        server_name signaling.bottest.com;
    
        ssl_certificate     /path/to/fullchain.pem;
        ssl_certificate_key /path/to/privkey.pem;
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA;
        ssl_prefer_server_ciphers off;
        ssl_dhparam /path/to/dhparam.pem;

        # Important: Add these headers for Teams compatibility
        add_header Strict-Transport-Security "max-age=63072000" always;
        
        location / {
            proxy_pass         http://127.0.0.1:5001;
            proxy_http_version 1.1;
            proxy_set_header   Upgrade $http_upgrade;
            proxy_set_header   Connection $connection_upgrade;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Proto $scheme;
            proxy_cache_bypass $http_upgrade;
            proxy_read_timeout 86400;
        }
    }
}

# Media endpoint (TCP/TLS)
stream {
    # Connection upgrade mapping
    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }

    upstream media_backend {
        server 127.0.0.1:8445;
    }

    server {
        listen 14217 ssl;
        
        ssl_certificate     /path/to/fullchain.pem;
        ssl_certificate_key /path/to/privkey.pem;
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers on;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;
        
        proxy_pass media_backend;
        proxy_timeout 1s;
        proxy_responses 1;
        proxy_bind $remote_addr transparent;
    }
}

 

3. Certificate Issues

Problem: Certificate chain and validation issues.

Required Certificate Setup:

# Verify certificate chain
openssl x509 -in fullchain.pem -text -noout
openssl verify -CAfile chain.pem fullchain.pem

# Certificate must include:
# - Subject: CN=*.bottest.com
# - Subject Alternative Names: signaling.bottest.com, media.bottest.com
# - Full certificate chain including intermediates

 

Install Certificate Properly:

# PowerShell on Windows Server
$cert = Import-PfxCertificate -FilePath "certificate.pfx" -CertStoreLocation "Cert:\LocalMachine\My" -Password (ConvertTo-SecureString "password" -AsPlainText -Force)
$thumbprint = $cert.Thumbprint

# Verify certificate is accessible
Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object {$_.Thumbprint -eq $thumbprint}

 

4. AWS Security Group Configuration

Required Ports:

# Inbound Rules
HTTPS    443    0.0.0.0/0           # Signaling
TCP      14217  0.0.0.0/0           # Media (TLS)
UDP      14217  0.0.0.0/0           # Media (DTLS) - IMPORTANT!

# Outbound Rules  
All Traffic  0.0.0.0/0             # Allow all outbound

 

5. Windows Server Configuration

Required Services and Ports:

# Disable Windows Firewall completely for testing
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

# Enable required Windows features
Enable-WindowsOptionalFeature -Online -FeatureName IIS-WebServerRole
Enable-WindowsOptionalFeature -Online -FeatureName IIS-ASPNET45

# Verify port binding
netstat -an | findstr ":8445"
netstat -an | findstr ":14217"


Could you review the points above and let us know if you encounter any issues?

guoxl's avatar
guoxl
Copper Contributor
Oct 01, 2025

First of all, thank you for your response, but the same error still occurs.

Media Platform Configuration Issues
=> Change ServiceFqdn to "signaling.bottest.com"
The result of the MediaPlatformSettings configuration is as follows:
[2025-10-01T15:14:23.635Z] =================CertificateThumbprint=[xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx337F6A7A]
[2025-10-01T15:14:23.642Z] =================InstanceInternalPort=[8445]
[2025-10-01T15:14:23.645Z] =================InstancePublicPort=[14217]
[2025-10-01T15:14:23.647Z] =================InstancePublicIPAddress=[18.181.xx.xx]
[2025-10-01T15:14:23.649Z] =================ServiceFqdn=[signaling.bottest.com]


2. Nginx Configuration Problems
=>The corresponding changes have also been made in C:\bot\nginx-1.29.1\conf\nginx.conf:
events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  localhost;
        location / {
            root   html;
            index  index.html index.htm;
        }
    }

    # Connection upgrade mapping
    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }

    server {
        listen 443 ssl;
        http2 on;
        server_name signaling.bottest.com;
    
        ssl_certificate     C:/bot/bottest-rsa/fullchain.pem;
        ssl_certificate_key C:/bot/bottest-rsa/privkey.pem;

        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA;
        ssl_prefer_server_ciphers off;
        ssl_dhparam C:/bot/nginx-1.29.1/conf/dhparam.pem;

        # Important: Add these headers for Teams compatibility
        add_header Strict-Transport-Security "max-age=63072000" always;
    
        location / {
            proxy_pass         http://127.0.0.1:5001;
            proxy_http_version 1.1;
            proxy_set_header   Upgrade $http_upgrade;
            proxy_set_header   Connection $connection_upgrade;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Proto $scheme;
            proxy_cache_bypass $http_upgrade;
            proxy_read_timeout 86400;
        }
    }
}

stream {
    upstream media_backend {
        server 127.0.0.1:8445;
    }
    server {
        listen 14217 ssl;

        ssl_certificate     C:/bot/bottest-rsa/fullchain.pem;
        ssl_certificate_key C:/bot/bottest-rsa/privkey.pem;

        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers on;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;
        
        proxy_pass media_backend;
        proxy_timeout 1s;
        proxy_responses 1;
#        proxy_bind $remote_addr transparent;
    }
}

3. Certificate Issues
3.1.openssl x509 -in fullchain.pem -text -noout
=>The execution result is as follows:
C:\bot\bottest-rsa>"C:\Program Files\OpenSSL-Win64\bin\openssl" x509 -in fullchain.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            05:6a:f7:c5:...
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R12
        Validity
            Not Before: Sep 23 13:21:51 2025 GMT
            Not After : Dec 22 13:21:50 2025 GMT
        Subject: CN=*.bottest.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c6:70:...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                A2:56:99:2F:C7:42:29:6D:AF:9C:85:27:32:C0:7E:4B:14:0E:79:6D
            X509v3 Authority Key Identifier:
                00:B5:29:F2:2D:8E:6F:31:E8:9B:4C:AD:78:3E:FA:DC:E9:0C:D1:D2
            Authority Information Access:
                CA Issuers - URI:http://r12.i.lencr.org/
            X509v3 Subject Alternative Name:
                DNS:*.bottest.com
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
            X509v3 CRL Distribution Points:
                Full Name:
                  URI:http://r12.c.lencr.org/98.crl

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : A4:42:C5:06...
                    Timestamp : Sep 23 14:20:21.550 2025 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:...
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 12:F1:4E:34:...
                    Timestamp : Sep 23 14:20:21.552 2025 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:...
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        5f:4a:46...
3.2.openssl verify -CAfile chain.pem fullchain.pem
=>The first time, it reported the following error:
C:\bot\bottest-rsa>"C:\Program Files\OpenSSL-Win64\bin\openssl" verify -CAfile chain.pem fullchain.pem
C=US, O=Let's Encrypt, CN=R12
error 2 at 1 depth lookup: unable to get issuer certificate
error fullchain.pem: verification failed
Then, open the page:https://letsencrypt.org/certificates/
Locate the ISRG Root X1 section.
Click Certificate Details → PEM (usually labeled as .pem format).
Append ISRG Root X1 to the end of chain.pem.
Then execute:C:\bot\bottest-rsa>"C:\Program Files\OpenSSL-Win64\bin\openssl" verify -CAfile chain.pem fullchain.pem
fullchain.pem: OK,The verification was successful.
3.3.Generate the certificate:
openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in fullchain.pem
3.4.Import the certificate into LocalMachine.
Import-PfxCertificate -FilePath "certificate.pfx" -CertStoreLocation "Cert:\LocalMachine\My" -Password (ConvertTo-SecureString "password" -AsPlainText -Force)
3.5.Verify certificate is accessible
PS C:\bot\bottest-rsa> Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object {$_.Thumbprint -eq $thumbprint}
   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint                                Subject
----------                                -------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx337F6A7A  CN=*.bottest.com

4. AWS Security Group Configuration
=>As shown in the figure:


5. Windows Server Configuration
=>The IIS-WebServerRole and IIS-ASPNET45 roles have been installed.
Ports 8445 and 14217 are being monitored as shown in the figure:

Resources