Forum Discussion

guoxl's avatar
guoxl
Copper Contributor
Sep 30, 2025

Azure Bot not joining meeting - Server Internal Error. DiagCode: 500#1203002.@

This problem has been bothering me for about two weeks and I haven’t found a solution yet. I’d really appreciate your help.
 
Environment Setup
1.Development Tool: Visual Studio 2022
 
2.Deployment: The service is hosted on AWS. In AWS Networking, both TCP and UDP port 14217 are opened.
The operating system is Windows Server 2022, and the firewall has been disabled temporarily for testing.
 
3.Certificate: A wildcard SSL certificate issued by Let’s Encrypt (CN = *.bottest.com, RSA-based) has been installed under LocalMachine\My certificate store.
 
4.Reverse Proxy: Both HTTPS and TCP traffic are forwarded through Nginx.
http {
    server {
        listen       80;
        server_name  localhost;
    }
    server {
        listen 443 ssl;
        server_name signaling.bottest.com;
    
        ssl_certificate     fullchain.pem;
        ssl_certificate_key privkey.pem;
    
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers         HIGH:!aNULL:!MD5;
    
        location / {
            proxy_pass         http://127.0.0.1:5001;
            proxy_http_version 1.1;
            proxy_set_header   Upgrade $http_upgrade;
            proxy_set_header   Connection keep-alive;
            proxy_set_header   Host $host;
            proxy_cache_bypass $http_upgrade;
        }
    }
}
stream {
    upstream dotnet_app_tcp {
        server 127.0.0.1:8445; 
    }
 
    server {
        listen 14217 ssl;
 
        ssl_certificate     fullchain.pem;
        ssl_certificate_key privkey.pem;
 
        ssl_protocols           TLSv1.2 TLSv1.3;
        ssl_ciphers             HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        
        proxy_pass dotnet_app_tcp;
    }
}
 
5. The bot’s Application Permissions have also been granted,
as shown in the figure below:

 

 

 

 

 
6. Bot initialization
        var mediaPlatformSettings = new MediaPlatformSettings
        {
            ApplicationId = _botConfig.MicrosoftAppId,
            MediaPlatformInstanceSettings = new MediaPlatformInstanceSettings
            {
                CertificateThumbprint = _botConfig.CertificateThumbprint, // LocalMachine/My certificate-*.bottest.com-thumbprint
                InstanceInternalPort = 8445,
                InstancePublicPort = 14217,
                InstancePublicIPAddress = IPAddress.Parse("18.181.xx.xx"), // AWS public IP
                ServiceFqdn = "media.bottest.com"
            }
        };
        _communicationsClient = new CommunicationsClientBuilder("IMediaSessionBot", _botConfig.MicrosoftAppId, _graphLogger)
                .SetAuthenticationProvider(_authProvider)
                .SetServiceBaseUrl(new Uri("https://graph.microsoft.com/v1.0"))
                .SetNotificationUrl(new Uri($"{_botConfig.PublicUrl}/api/calls"))
                .SetMediaPlatformSettings(mediaPlatformSettings)
                .SetHttpClient(httpClient)
                .Build();
        _communicationsClient.Calls().OnIncoming += this.OnIncomingCall;
        _communicationsClient.Calls().OnUpdated += OnCallUpdated;
    }
 
7.join meeting
        var scenarioId = Guid.NewGuid();
        var meetingDetails = MeetingUrlParser.Parse(meetingUrl);
 
        var chatInfo = new ChatInfo { ThreadId = meetingDetails.ThreadId };
        var meetingInfo = new JoinMeetingIdMeetingInfo
        {
            JoinMeetingId = _botConfig.MeetingID,
            Passcode = _botConfig.MeetingPasscode,
            AdditionalData = new Dictionary<string, object>
            {
                {
                    "allowConversationWithoutHost" , true
                },
            },
        };
 
        ILocalMediaSession mediaSession = this.CreateLocalMediaSession();
 
        var joinParams = new JoinMeetingParameters(chatInfo, meetingInfo, mediaSession)
        {
            TenantId = tenantId,
            AllowGuestToBypassLobby = true
        };
        try
        {
            _activeCall = await _communicationsClient.Calls().AddAsync(joinParams, scenarioId).ConfigureAwait(false);
            _logger.LogInformation($"Successfully initiated the add-participant request, Call ID:: {_activeCall.Id}");
        }
        catch (ODataError ex)
        {
            Console.WriteLine($"{DateTime.Now:yyyy-MM-dd HH:mm:ss.fff} Failed to initiate the call: .ex={ex.ToString()}");
            throw;
        }
 
    private ILocalMediaSession CreateLocalMediaSession(Guid mediaSessionId = default(Guid))
    {
        var mediaSession = this._communicationsClient.CreateMediaSession(
            new AudioSocketSettings
            {
                StreamDirections = StreamDirection.Recvonly,
                SupportedAudioFormat = AudioFormat.Pcm16K,
                ReceiveUnmixedMeetingAudio = true, 
                EnableAudioHealingForUnmixed = true
            },
            new VideoSocketSettings
            {
                StreamDirections = StreamDirection.Inactive
            },
            mediaSessionId: mediaSessionId);
        return mediaSession;
    }
 
8.call back(SetNotificationUrl(new Uri($"{_botConfig.PublicUrl}/api/calls")))
State at first attempt:Notification payload: {"@odata.type":"#microsoft.graph.commsNotifications","value":[{"@odata.type":"#microsoft.graph.commsNotification","changeType":"updated","resource":"/app/calls/07004d80-44b9-479e-bb43-2d5983e3f235","resourceUrl":"/communications/calls/07004d80-44b9-479e-bb43-2d5983e3f235","resourceData":{"@odata.type":"#microsoft.graph.call","state":"establishing","chatInfo":{"@odata.type":"#microsoft.graph.chatInfo","threadId":"19:meeting_MzIyMTYzOTMtMGYyNi00OTE2LTg2NjUtYmU4ZDlhYmY2ZmRj@thread.v2"},"meetingInfo":{"@odata.type":"#microsoft.graph.joinMeetingIdMeetingInfo","joinMeetingId":"4130864187312","passcode":"P7GY7Vv2","allowConversationWithoutHost":true},"callChainId":"b50a00dc-74da-42b0-966a-e88dea7e6087"}}]}
State at second attempt:Notification payload: {"@odata.type":"#microsoft.graph.commsNotifications","value":[{"@odata.type":"#microsoft.graph.commsNotification","changeType":"deleted","resource":"/app/calls/07004d80-44b9-479e-bb43-2d5983e3f235","resourceUrl":"/communications/calls/07004d80-44b9-479e-bb43-2d5983e3f235","resourceData":{"@odata.type":"#microsoft.graph.call","state":"terminated","resultInfo":{"@odata.type":"#microsoft.graph.resultInfo","code":500,"subcode":1203002,"message":"Server Internal Error. DiagCode: 500#1203002.@"},"chatInfo":{"@odata.type":"#microsoft.graph.chatInfo","threadId":"19:meeting_MzIyMTYzOTMtMGYyNi00OTE2LTg2NjUtYmU4ZDlhYmY2ZmRj@thread.v2"},"meetingInfo":{"@odata.type":"#microsoft.graph.joinMeetingIdMeetingInfo","joinMeetingId":"4130864187312","passcode":"P7GY7Vv2","allowConversationWithoutHost":true},"callChainId":"b50a00dc-74da-42b0-966a-e88dea7e6087"}}]}
Here, an error occurred: 500 #1203002.
 
9. Based on the packet capture, the issue seems to be related to interactions with /MediaProcessor/v1.
It’s unclear whether this is due to a protocol mismatch or a certificate mismatch,
as shown in the figure below:

 

 
 
10.Database schema (DDL) dependencies required by the bot
  <ItemGroup>
<PackageReference Include="Microsoft.ApplicationInsights.WorkerService" Version="2.23.0" />
<PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.24.0" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.ApplicationInsights" Version="1.4.0" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.Core" Version="1.20.0" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http" Version="3.3.0" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="1.18.1" />
<PackageReference Include="Microsoft.AspNetCore" Version="2.1.3" />
<PackageReference Include="Microsoft.AspNetCore.Mvc" Version="2.1.2" />
<PackageReference Include="Microsoft.Bot.Builder.Integration.AspNet.WebApi" Version="4.22.1" />
<PackageReference Include="Microsoft.CognitiveServices.Speech" Version="1.46.0" />
<PackageReference Include="Microsoft.Graph.Communications.Calls.Media" Version="1.2.0.10563" />
<PackageReference Include="Microsoft.Graph.Communications.Core" Version="1.2.0.10563" />
<PackageReference Include="Microsoft.Graph.Core" Version="3.1.3" />
<PackageReference Include="Microsoft.IO.RecyclableMemoryStream" Version="3.0.1" />
<PackageReference Include="Microsoft.ServiceFabric.AspNetCore.HttpSys" Version="3.2.187" />
<PackageReference Include="Microsoft.Skype.Bots.Media" Version="1.31.0.180" />
<PackageReference Include="Microsoft.Kiota.Http.HttpClientLibrary" Version="1.3.3" />
  </ItemGroup>
 
11.The certificate has also been uploaded to Azure, as shown in the figure:

 

developer

2 Replies

  • Nivedipa-MSFT's avatar
    Nivedipa-MSFT
    Icon for Microsoft rankMicrosoft
    Oct 01, 2025

    @guoxl - Thanks for bringing this issue to our attention.
    Based on your detailed setup and the error code 500#1203002, this is a Microsoft Teams Real-time Media Platform connectivity issue. The error indicates the Teams media service cannot establish a secure connection to your media endpoint.

    Root Cause Analysis

    Error 500#1203002 typically means:

    • Media platform connectivity failure
    • Certificate/TLS handshake issues
    • Network routing problems between Teams and your media endpoint
    • Protocol mismatch in media negotiation

    Critical Issues in Your Setup

    1. Media Platform Configuration Issues

    Problem: Your ServiceFqdn and certificate don't match your Nginx configuration.

    Current Setup:
    ServiceFqdn = "media.bottest.com"  // But Nginx serves signaling.bottest.com

    Corrected Configuration:
    var mediaPlatformSettings = new MediaPlatformSettings
    {
        ApplicationId = _botConfig.MicrosoftAppId,
        MediaPlatformInstanceSettings = new MediaPlatformInstanceSettings
        {
            CertificateThumbprint = _botConfig.CertificateThumbprint,
            InstanceInternalPort = 8445,
            InstancePublicPort = 14217,
            InstancePublicIPAddress = IPAddress.Parse("18.181.xx.xx"),
            ServiceFqdn = "signaling.bottest.com" // ✅ Match your Nginx server_name
        }
    };

    2. Nginx Configuration Problems

    Issue: Missing UDP support and incorrect SSL configuration for media.

    Corrected Nginx Configuration:

    # /etc/nginx/nginx.conf
    events {
        worker_connections 1024;
    }

    http {
        # Signaling endpoint (HTTPS)
        server {
            listen 443 ssl http2;
            server_name signaling.bottest.com;
        
            ssl_certificate     /path/to/fullchain.pem;
            ssl_certificate_key /path/to/privkey.pem;
            ssl_protocols       TLSv1.2 TLSv1.3;
            ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA;
            ssl_prefer_server_ciphers off;
            ssl_dhparam /path/to/dhparam.pem;

            # Important: Add these headers for Teams compatibility
            add_header Strict-Transport-Security "max-age=63072000" always;
            
            location / {
                proxy_pass         http://127.0.0.1:5001;
                proxy_http_version 1.1;
                proxy_set_header   Upgrade $http_upgrade;
                proxy_set_header   Connection $connection_upgrade;
                proxy_set_header   Host $host;
                proxy_set_header   X-Real-IP $remote_addr;
                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header   X-Forwarded-Proto $scheme;
                proxy_cache_bypass $http_upgrade;
                proxy_read_timeout 86400;
            }
        }
    }

    # Media endpoint (TCP/TLS)
    stream {
        # Connection upgrade mapping
        map $http_upgrade $connection_upgrade {
            default upgrade;
            '' close;
        }

        upstream media_backend {
            server 127.0.0.1:8445;
        }

        server {
            listen 14217 ssl;
            
            ssl_certificate     /path/to/fullchain.pem;
            ssl_certificate_key /path/to/privkey.pem;
            ssl_protocols       TLSv1.2 TLSv1.3;
            ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
            ssl_prefer_server_ciphers on;
            ssl_session_cache   shared:SSL:10m;
            ssl_session_timeout 10m;
            
            proxy_pass media_backend;
            proxy_timeout 1s;
            proxy_responses 1;
            proxy_bind $remote_addr transparent;
        }
    }

     

    3. Certificate Issues

    Problem: Certificate chain and validation issues.

    Required Certificate Setup:

    # Verify certificate chain
    openssl x509 -in fullchain.pem -text -noout
    openssl verify -CAfile chain.pem fullchain.pem

    # Certificate must include:
    # - Subject: CN=*.bottest.com
    # - Subject Alternative Names: signaling.bottest.com, media.bottest.com
    # - Full certificate chain including intermediates

     

    Install Certificate Properly:

    # PowerShell on Windows Server
    $cert = Import-PfxCertificate -FilePath "certificate.pfx" -CertStoreLocation "Cert:\LocalMachine\My" -Password (ConvertTo-SecureString "password" -AsPlainText -Force)
    $thumbprint = $cert.Thumbprint

    # Verify certificate is accessible
    Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object {$_.Thumbprint -eq $thumbprint}

     

    4. AWS Security Group Configuration

    Required Ports:

    # Inbound Rules
    HTTPS    443    0.0.0.0/0           # Signaling
    TCP      14217  0.0.0.0/0           # Media (TLS)
    UDP      14217  0.0.0.0/0           # Media (DTLS) - IMPORTANT!

    # Outbound Rules  
    All Traffic  0.0.0.0/0             # Allow all outbound

     

    5. Windows Server Configuration

    Required Services and Ports:

    # Disable Windows Firewall completely for testing
    Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

    # Enable required Windows features
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-WebServerRole
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-ASPNET45

    # Verify port binding
    netstat -an | findstr ":8445"
    netstat -an | findstr ":14217"


    Could you review the points above and let us know if you encounter any issues?

    • guoxl's avatar
      guoxl
      Copper Contributor
      Oct 01, 2025

      First of all, thank you for your response, but the same error still occurs.

      Media Platform Configuration Issues
      => Change ServiceFqdn to "signaling.bottest.com"
      The result of the MediaPlatformSettings configuration is as follows:
      [2025-10-01T15:14:23.635Z] =================CertificateThumbprint=[xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx337F6A7A]
      [2025-10-01T15:14:23.642Z] =================InstanceInternalPort=[8445]
      [2025-10-01T15:14:23.645Z] =================InstancePublicPort=[14217]
      [2025-10-01T15:14:23.647Z] =================InstancePublicIPAddress=[18.181.xx.xx]
      [2025-10-01T15:14:23.649Z] =================ServiceFqdn=[signaling.bottest.com]


      2. Nginx Configuration Problems
      =>The corresponding changes have also been made in C:\bot\nginx-1.29.1\conf\nginx.conf:
      events {
          worker_connections  1024;
      }

      http {
          include       mime.types;
          default_type  application/octet-stream;

          log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                            '$status $body_bytes_sent "$http_referer" '
                            '"$http_user_agent" "$http_x_forwarded_for"';

          access_log  logs/access.log  main;

          sendfile        on;
          #tcp_nopush     on;

          #keepalive_timeout  0;
          keepalive_timeout  65;

          #gzip  on;

          server {
              listen       80;
              server_name  localhost;
              location / {
                  root   html;
                  index  index.html index.htm;
              }
          }

          # Connection upgrade mapping
          map $http_upgrade $connection_upgrade {
              default upgrade;
              '' close;
          }

          server {
              listen 443 ssl;
              http2 on;
              server_name signaling.bottest.com;
          
              ssl_certificate     C:/bot/bottest-rsa/fullchain.pem;
              ssl_certificate_key C:/bot/bottest-rsa/privkey.pem;

              ssl_protocols       TLSv1.2 TLSv1.3;
              ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA;
              ssl_prefer_server_ciphers off;
              ssl_dhparam C:/bot/nginx-1.29.1/conf/dhparam.pem;

              # Important: Add these headers for Teams compatibility
              add_header Strict-Transport-Security "max-age=63072000" always;
          
              location / {
                  proxy_pass         http://127.0.0.1:5001;
                  proxy_http_version 1.1;
                  proxy_set_header   Upgrade $http_upgrade;
                  proxy_set_header   Connection $connection_upgrade;
                  proxy_set_header   Host $host;
                  proxy_set_header   X-Real-IP $remote_addr;
                  proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
                  proxy_set_header   X-Forwarded-Proto $scheme;
                  proxy_cache_bypass $http_upgrade;
                  proxy_read_timeout 86400;
              }
          }
      }

      stream {
          upstream media_backend {
              server 127.0.0.1:8445;
          }
          server {
              listen 14217 ssl;

              ssl_certificate     C:/bot/bottest-rsa/fullchain.pem;
              ssl_certificate_key C:/bot/bottest-rsa/privkey.pem;

              ssl_protocols       TLSv1.2 TLSv1.3;
              ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
              ssl_prefer_server_ciphers on;
              ssl_session_cache   shared:SSL:10m;
              ssl_session_timeout 10m;
              
              proxy_pass media_backend;
              proxy_timeout 1s;
              proxy_responses 1;
      #        proxy_bind $remote_addr transparent;
          }
      }

      3. Certificate Issues
      3.1.openssl x509 -in fullchain.pem -text -noout
      =>The execution result is as follows:
      C:\bot\bottest-rsa>"C:\Program Files\OpenSSL-Win64\bin\openssl" x509 -in fullchain.pem -text -noout
      Certificate:
          Data:
              Version: 3 (0x2)
              Serial Number:
                  05:6a:f7:c5:...
              Signature Algorithm: sha256WithRSAEncryption
              Issuer: C=US, O=Let's Encrypt, CN=R12
              Validity
                  Not Before: Sep 23 13:21:51 2025 GMT
                  Not After : Dec 22 13:21:50 2025 GMT
              Subject: CN=*.bottest.com
              Subject Public Key Info:
                  Public Key Algorithm: rsaEncryption
                      Public-Key: (2048 bit)
                      Modulus:
                          00:c6:70:...
                      Exponent: 65537 (0x10001)
              X509v3 extensions:
                  X509v3 Key Usage: critical
                      Digital Signature, Key Encipherment
                  X509v3 Extended Key Usage:
                      TLS Web Server Authentication, TLS Web Client Authentication
                  X509v3 Basic Constraints: critical
                      CA:FALSE
                  X509v3 Subject Key Identifier:
                      A2:56:99:2F:C7:42:29:6D:AF:9C:85:27:32:C0:7E:4B:14:0E:79:6D
                  X509v3 Authority Key Identifier:
                      00:B5:29:F2:2D:8E:6F:31:E8:9B:4C:AD:78:3E:FA:DC:E9:0C:D1:D2
                  Authority Information Access:
                      CA Issuers - URI:http://r12.i.lencr.org/
                  X509v3 Subject Alternative Name:
                      DNS:*.bottest.com
                  X509v3 Certificate Policies:
                      Policy: 2.23.140.1.2.1
                  X509v3 CRL Distribution Points:
                      Full Name:
                        URI:http://r12.c.lencr.org/98.crl

                  CT Precertificate SCTs:
                      Signed Certificate Timestamp:
                          Version   : v1 (0x0)
                          Log ID    : A4:42:C5:06...
                          Timestamp : Sep 23 14:20:21.550 2025 GMT
                          Extensions: none
                          Signature : ecdsa-with-SHA256
                                      30:44:02:20:...
                      Signed Certificate Timestamp:
                          Version   : v1 (0x0)
                          Log ID    : 12:F1:4E:34:...
                          Timestamp : Sep 23 14:20:21.552 2025 GMT
                          Extensions: none
                          Signature : ecdsa-with-SHA256
                                      30:45:02:21:...
          Signature Algorithm: sha256WithRSAEncryption
          Signature Value:
              5f:4a:46...
      3.2.openssl verify -CAfile chain.pem fullchain.pem
      =>The first time, it reported the following error:
      C:\bot\bottest-rsa>"C:\Program Files\OpenSSL-Win64\bin\openssl" verify -CAfile chain.pem fullchain.pem
      C=US, O=Let's Encrypt, CN=R12
      error 2 at 1 depth lookup: unable to get issuer certificate
      error fullchain.pem: verification failed
      Then, open the page:https://letsencrypt.org/certificates/
      Locate the ISRG Root X1 section.
      Click Certificate Details → PEM (usually labeled as .pem format).
      Append ISRG Root X1 to the end of chain.pem.
      Then execute:C:\bot\bottest-rsa>"C:\Program Files\OpenSSL-Win64\bin\openssl" verify -CAfile chain.pem fullchain.pem
      fullchain.pem: OK,The verification was successful.
      3.3.Generate the certificate:
      openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in fullchain.pem
      3.4.Import the certificate into LocalMachine.
      Import-PfxCertificate -FilePath "certificate.pfx" -CertStoreLocation "Cert:\LocalMachine\My" -Password (ConvertTo-SecureString "password" -AsPlainText -Force)
      3.5.Verify certificate is accessible
      PS C:\bot\bottest-rsa> Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object {$_.Thumbprint -eq $thumbprint}
         PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
      Thumbprint                                Subject
      ----------                                -------
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx337F6A7A  CN=*.bottest.com

      4. AWS Security Group Configuration
      =>As shown in the figure:


      5. Windows Server Configuration
      =>The IIS-WebServerRole and IIS-ASPNET45 roles have been installed.
      Ports 8445 and 14217 are being monitored as shown in the figure:

Resources