BED-6164 - Add Logging Describing Outcome of GetNtlmEndpoint in CAEnrollmentProcessor (#246)

Michael Cuomo · web-flow · commit 8a703f36223d · 2025-09-18T14:04:12.000-04:00
* log: Add Logging Describing Outcome of GetNtlmEndpoint in CAEnrollmentProcessor

* log: CodeRabbit Nits
diff --git a/src/CommonLib/Processors/CAEnrollmentProcessor.cs b/src/CommonLib/Processors/CAEnrollmentProcessor.cs
@@ -133,15 +133,21 @@ private async Task<APIResult<CAEnrollmentEndpoint>> GetNtlmEndpoint(Uri url, boo
 
             try {
                 await authService.EnsureRequiresAuth(url, useBadChannelBinding);
+                _logger.LogDebug("{Url} was accessible. BadChannelBindings: {UseBadChannelBindings}. EndpointType {EndpointType}",
+                    url.AbsoluteUri, useBadChannelBinding, type);
                 return APIResult<CAEnrollmentEndpoint>.Success(output);
             } catch (HttpRequestException ex) {
                 if (ex.InnerException is WebException webEx) {
                     if (webEx.InnerException is SocketException) {
                         output.Status = CAEnrollmentEndpointScanResult.NotVulnerable_PortInaccessible;
+                        _logger.LogDebug("{Url} labeled not vulnerable due to port being inaccessible. EndpointType: {EndpointType}",
+                            url.AbsoluteUri, type);
                         return APIResult<CAEnrollmentEndpoint>.Success(output);
                     }
 
                     if (webEx.Status == WebExceptionStatus.NameResolutionFailure) {
+                        _logger.LogDebug("{Url} could not be resolved. BadChannelBindings: {UseBadChannelBindings}. EndpointType: {EndpointType}",
+                            url.AbsoluteUri, useBadChannelBinding, type);
                         return APIResult<CAEnrollmentEndpoint>.Failure("Could not resolve hostname");
                     }
 
@@ -151,12 +157,18 @@ private async Task<APIResult<CAEnrollmentEndpoint>> GetNtlmEndpoint(Uri url, boo
                         switch (statusCode) {
                             case HttpStatusCode.NotFound:
                                 output.Status = CAEnrollmentEndpointScanResult.NotVulnerable_PathNotFound;
+                                _logger.LogDebug("Path not found for {Url}; marking not vulnerable. BadChannelBindings: {UseBadChannelBindings}. EndpointType: {EndpointType}",
+                                    url.AbsoluteUri, useBadChannelBinding, type);
                                 break;
                             case HttpStatusCode.Forbidden:
                                 // Returned if the IIS is configured to require SSL (so no HTTP possible)
                                 output.Status = CAEnrollmentEndpointScanResult.NotVulnerable_PathForbidden;
+                                _logger.LogDebug("Path forbidden for {Url}; marking not vulnerable. BadChannelBindings: {UseBadChannelBindings}. EndpointType: {EndpointType}",
+                                    url.AbsoluteUri, useBadChannelBinding, type);
                                 break;
                             default:
+                                _logger.LogError("Unexpected status code while checking {Url}. StatusCode {StatusCode}. UseBadChannelBindings: {UseBadChannelBindings}, EnpointType: {EndpointType}",
+                                    url.AbsoluteUri, statusCode, useBadChannelBinding, type);
                                 return APIResult<CAEnrollmentEndpoint>
                                     .Failure(
                                         $"Unexpected status code '{statusCode}' for the URL {url}. UseBadChannelBindings: {useBadChannelBinding}");
@@ -165,42 +177,51 @@ private async Task<APIResult<CAEnrollmentEndpoint>> GetNtlmEndpoint(Uri url, boo
                         return APIResult<CAEnrollmentEndpoint>.Success(output);
                     }
 
-                    _logger.LogError($"WebException occurred: {ex}");
-
+                    _logger.LogError(webEx, "Unhandled WebException while checking {Url}. Exception: {ExceptionMessage}. Inner: {InnerExceptionMessage}  Data: {ExceptionData}",
+                        url.AbsoluteUri, webEx.Message, webEx.InnerException?.Message, webEx.Data);
                     return APIResult<CAEnrollmentEndpoint>
                         .Failure(
                             $"Unhandled WebException. Url: {url}. Exception: {webEx.Message}. Inner: {webEx.InnerException?.Message}  Data: {webEx.Data}");
                 }
-
+                
+                _logger.LogError("HttpRequestException occurred checking NTLM accessibility for URL: {Url}. Exception: {Message}", url.AbsoluteUri, ex.Message);
                 return APIResult<CAEnrollmentEndpoint>
                     .Failure(
                         $"HttpRequestException occured checking NTLM accessibility for URL: {url}. Exception: {ex.Message}");
             } catch (HttpUnauthorizedException ex) {
                 if (useBadChannelBinding == true) {
                     output.Status = CAEnrollmentEndpointScanResult.NotVulnerable_NtlmChannelBindingRequired;
+                    _logger.LogDebug("{Url} labeled as not vulnerable, NTLM channel binding is required", url.AbsoluteUri);
                     return APIResult<CAEnrollmentEndpoint>.Success(output);
                 }
 
+                _logger.LogError("Unauthorized exception checking NTLM accessibility for URL: {Url}. Exception: {Message}", url.AbsoluteUri, ex.Message);
                 return APIResult<CAEnrollmentEndpoint>
                     .Failure(
                         $"401 Unauthorized exception checking NTLM accessibility for URL: {url}. Exception: {ex.Message}");
             } catch (HttpForbiddenException) {
                 output.Status = CAEnrollmentEndpointScanResult.NotVulnerable_PathForbidden;
+                _logger.LogDebug("{Url} labeled not vulnerable as the path was forbidden.", url.AbsoluteUri);
                 return APIResult<CAEnrollmentEndpoint>
                     .Success(output);
             } catch (HttpServerErrorException) {
                 output.Status = CAEnrollmentEndpointScanResult.NotVulnerable_PathNotFound;
+                _logger.LogDebug("{Url} labeled not vulnerable as the path was not found.", url.AbsoluteUri);
                 return APIResult<CAEnrollmentEndpoint>
                     .Success(output);
             } catch (MissingChallengeException) {
                 output.Status = CAEnrollmentEndpointScanResult.NotVulnerable_NoNtlmChallenge;
+                _logger.LogDebug("{Url} labeled not vulnerable as no NTLM challenge.", url.AbsoluteUri);
                 return APIResult<CAEnrollmentEndpoint>
                     .Success(output);
             } catch (ExtendedProtectionMisconfiguredException) {
                 output.Status = CAEnrollmentEndpointScanResult.NotVulnerable_EpaMisconfigured;
+                _logger.LogDebug("{Url} labeled not vulnerable as EPA is misconfigured.", url.AbsoluteUri);
                 return APIResult<CAEnrollmentEndpoint>
                     .Success(output);
             } catch (Exception ex) {
+                _logger.LogError("An unhandled exception occurred checking NTLM accessibility for URL: {Url}. BadChannelBindings: {UseBadChannelBindings}. EndpointType: {EndpointType}. Exception: {Message}",
+                    url.AbsoluteUri, useBadChannelBinding, type, ex.Message);
                 return APIResult<CAEnrollmentEndpoint>
                     .Failure(
                         $"Unhandled exception checking NTLM accessibility for URL: {url}. BadChannelBindings: {useBadChannelBinding}.  Exception: {ex.Message}");
