SOLVED

Teams won't talk to Azure Bot Messaging endpoint

Copper Contributor

The "Web Chat" channel works fine, but the "Microsoft Teams" doesn't. A few clues as to what might be going on...

 

1) If I point to an ngrok tunnel that goes directly to the https service (haproxy) it works fine.
2) I'm seeing the occasional portal.azure.com pre-flight (OPTIONS) request logged against the service, but nothing else.

 

So, Teams/Azure Bot can reach the service, and it would seem that it's pretending to be a browser and doing CORS stuff. I've permitted and exposed all the headers the pre-flight is asking for. I also respond with the required specific Origin -> https://portal.azure.com header and allow authentication (because Azure Bot sends an authorization header).

 

Any ideas about what could be going on?

12 Replies

@stephenmdyoung : Hey are you trying to run bot from local or have you deployed it on app service? 
Also, the endpoint you are giving should be publicly accessible and in channels, it should be connected to Teams. 

Please have a look at this: Connect a bot to Microsoft Teams

Thanks @HunaidHanfee-MSFT - but yes, the endpoint is publicly available and the bot has both the Teams and Web Chat channels. What's more, the relevant Microsoft services must be seeing the relevant settings or we wouldn't be seeing the OPTIONS request at the endpoint.

Steve
As I understand from the question app is working when pointed to ngrok. You are facing problem when you are giving some other endpoint.
If you doing it locally make sure that bot is running and ngrok or other endpoint should point to the same port on which local bot is running.

Also, you should check on Teams web client and look console for errors. Please make sure that you have given the correct botId in the manifest.

Could you please share bot Id and timestamp when you faced this issue so that we can check at our end what is wrong?
Hi @HunaidHanfee-MSFT

Indeed the app is working when pointed to an ngrok endpoint, but the ngrok tunnel is pointed directly (initiated from inside the service's VM) to the "live" socket - i.e. to the same endpoint. This might seem to indicate that there is a firewall or other infrastructure issue blocking Teams' access to the endpoint, but we've eliminated that possibility. We can see the Teams traffic in tcpdump captures, *and* we're capturing Teams CORS OPTIONS requests at the endpoint.

ngrok uses an Authorisation header so will overwrite whatever comes from Azure/Teams. This might be a clue to what's going on.

As you've suggested, I've brought up the Teams web client in a clean version of Firefox (no blockers etc) on a linux VM and, for sure, Angular is spitting out a bunch of errors. There is plenty of data the client is expecting, but not getting. e.g.

XML Parsing Error: no root element found
Location: https://presence.teams.microsoft.com/v1/me/reportmyactivity

You should know that we raised a ticket (Case #:27092020) for this issue. We were asked for, and provided, all manner of information and data from the the desktop app and the machine it was running on. I think we've established that the problem is how the Teams (or Azure Bot) server-side application is interacting with our endpoint - and not with either the desktop or web client.

The bot id is "ask-kaybot" The issue is continuous, but I'll make a couple more requests to it at the same time I post this reply so that you have a timestamp.

Steve

Hello @stephenmdyoung,
Please have a look at this FAQ. It explain which specific URLs you need to allow-list in your corporate firewall.

Also could please share your bot GUID Id that you used while creating bot channel registration or used in manifest. 

Thanks for this @HunaidHanfee-MSFT 

 

The endpoint sits on an AWS VM - not behind a corporate firewall.  No incoming hosts/IP addresses are blocked at this stage - only ports.

 

The ask-kaybot Microsoft App ID is ee4a1ffe-1d28-4d74-9aeb-e27f25d9acc0 - I hope this is the GUID you need.

@nexus-steve - To keep you updated - We have find that you are getting an exception 

Error when sending request to bot System.Net.Http.HttpRequestException: An error occurred while sending the request.
 ---> (Inner) System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.

This might be the problem that is blocking request to get send. I am looking into this and working with internal team to get it sorted. 
Thanks 

Thanks for the update  @HunaidHanfee-MSFT - your efforts are much appreciated.

 

Can you let me know what ciphers Teams/Azure is expecting?  I'll make sure that haproxy has them covered.

 

Cheers

Steve

best response confirmed by stephenmdyoung (Copper Contributor)
Solution

@nexus-steve - these are the cipher suites that SMBA supports:

 

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
@nexus-steve - Have you tried with these? Please let us know if it resolve your issue.
Hey thanks for your help @HunaidHanfee-MSFT and @Wajeed-MSFT. We've changed the cipher support for the bot gateway and it appears to have solved the problem.

@stephenmdyoung 
Thanks for updating,
If the response is helpful, please click "**Mark as Best Response**" and like it. This will increase the answer visibility and will help other users as well. You can share your feedback via Microsoft Teams Developer Feedback link. Click here to escalate. 

1 best response

Accepted Solutions
best response confirmed by stephenmdyoung (Copper Contributor)
Solution

@nexus-steve - these are the cipher suites that SMBA supports:

 

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

View solution in original post