question

GauravChayal-6633 avatar image
0 Votes"
GauravChayal-6633 asked GauravChayal-6633 commented

In Bot Framework - Getting HTTP Status Code Forbidden in Web Chat

I have created a bot in botframework and configured Teams channel with it but while testing, we are getting no response with error as "There was an error sending this message to your bot: HTTP status code Forbidden" inside webchat logs.

131972-uat-botissue.jpg



I have seen some other similar questions regarding the botframework issues.
I am concerned regarding following options:
1. if it is mandatory to use "MultiTenant" support type? Because right now I am using "SingleTenant"
My reference for that is this documentation
https://docs.microsoft.com/en-us/azure/bot-service/bot-service-quickstart-registration?view=azure-bot-service-4.0#manual-app-registration
2. Is it mandatory to allow-list of following URLs in that firewall?
login.botframework.com (Bot authentication)
login.microsoftonline.com (Bot authentication)
westus.api.cognitive.microsoft.com (for Luis.ai NLP integration)
*.botframework.com (channels)
state.botframework.com (backward compatibility)
login.windows.net (Windows login)
login.windows.com (Windows login)
sts.windows.net (Windows login)
reference official doc : https://docs.microsoft.com/en-us/azure/bot-service/bot-service-resources-faq-security?view=azure-bot-service-4.0#which-specific-urls-do-i-need-to-allow-list-in-my-corporate-firewall-to-access-bot-framework-services

And if we need to change the support type to "Multitenant", I need some reasoning for that
1. why we need "Multitenant" if we are working in the single tenant network?
2. why there's option of "Singletenant" if "Multitenant" is mandatory?

because IT team is not allowing this option and concerned about security.
Kindly tell if there would be some other possibilities for the issues.

office-teams-app-devmicrosoft-graph-teamworkazure-ad-app-registrationazure-bot-serviceazure-ad-tenant
uat-botissue.jpg (139.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

romungi-MSFT avatar image
3 Votes"
romungi-MSFT answered

@GauravChayal-6633 The reason for using multi-tenant is because

“A bot’s App Registration is multi-tenant due to the architecture of the Bot Service so that a token can be generated that points to api.botframework.com resource (which is hosted on the botframework tenant). botframework.com is a single-tenant resource so in order for us to grant access to the bot service’s connector resources, we create the token against the bot's app registration (hence the need for the multi-tenant registration). This app registration should only be used for this service-to-service bot authentication pattern. It should have no access to other claims, etc. If you need the app registration to have access to other resources, you should create a separate app registration to use.”

So the registration and access to the URLs are required to ensure the bot works as expected.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GauravChayal-6633 avatar image
0 Votes"
GauravChayal-6633 answered romungi-MSFT commented

@romungi-MSFT
Thanks, for the reply but still the explanation is not clear.

132386-tenant.jpg



In the above screenshot it is clearly mentioned that use "SingleTenant" if the target audience is internal to organization.
and use "Multitenant" if target audience are multiple organization(like schools or businesses)
So, It is obvious to choose options according to tenants.

Then, Why "SingleTenant" option is available if "MultiTenant" is mandatory to use?
Also can't find any official documentation for strictly using Multitenant while configuring Teams Channel with Bot in BotFramework .
Security Team needs proper proof and documentation for making registration as Multitenant.






tenant.jpg (167.7 KiB)
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@GauravChayal-6633 With respect to the bot framework the link you provided above is the guidance.
I think the screen shot is specific to app registration and will display the available options for supported accounts.

1 Vote 1 ·

@romungi-MSFT
So, one last question
There's no risk and security concern while using "Multitenant" Support type registration and it is mandatory to configure Teams channel in Botframework ?

Thanks in advance :)

0 Votes 0 ·

Yes, with the current botframework architecture for any channel integration you need this setup. You can setup authentication with your bot to ensure any communication with your bot is safe and secure.


1 Vote 1 ·
Show more comments
GauravChayal-6633 avatar image
0 Votes"
GauravChayal-6633 answered GauravChayal-6633 commented

Hi @romungi-MSFT , hope you are doing well.
We need your help again.

So now, we are stuck in proceeding further for Teams Adapter.
Our IT team have turned support type app. into Multitenant and there are no outbound traffic blocking for URL Access.
We were concerned about those two requirements and now they are fulfilled but still the issue is same.
We are getting error as "There was an error sending this message to your bot : HTTP status code Forbidden".

I have checked the required URL in the browser, they are accessible.
Is any other way to check if the URL Access are working fine?
Please guide for the next step we can check and what are the other possibilities for this issue.

141419-uat-botissue.jpg



uat-botissue.jpg (139.8 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@GauravChayal-6633 I believe you are referring to the teams bot channel URL that is mentioned in this screen after copying the embed codes.

141761-image.png

With regards to the error it would be easier to check the exact reason if you can enable logging on your bot using diagnostic settings of the bot resource from Azure portal.

141706-image.png


0 Votes 0 ·
image.png (20.8 KiB)
image.png (15.7 KiB)

We haven't deployed our bot code on Azure or created any bot resource service. We are using our own framework for creating bots and just configuring the messaging end point of that framework in dev.botframework.com, by creating a new bot there.

We are also getting this error “Error - 403 Forbidden - Microsoft-Azure-Application-Gateway/v2” in chrome inspect.

Since our framework and code is configured in a server assigned by IT Team with a DNS, are there any chance that the call requests by "messaging endpoint url" from "Microsoft-SkypeBotApi+(Microsoft-BotFramework/3.0)" are getting blocked by Azure Gateway or Azure Firewall ?

If yes, We need to tell this to IT Team to check it, but need to know where they should check and what settings and where they need to do to enable it.
Or else what could be the other reasons for that error, Thanks :)

144418-boterror.jpg



0 Votes 0 ·
boterror.jpg (236.4 KiB)