BED-6657 - Adding Additional Logging around NTLM Authentication (#254)

Michael Cuomo · web-flow · commit 057a598970fc · 2025-10-22T08:54:39.000-04:00
* log: Add Logging Describing Outcome of GetNtlmEndpoint in CAEnrollmentProcessor

* log: CodeRabbit Nits

* chore: Adding more Logging around NTLM Authentication

* chore: Coderabbit Suggestions
diff --git a/src/CommonLib/Ntlm/HttpNtlmAuthenticationService.cs b/src/CommonLib/Ntlm/HttpNtlmAuthenticationService.cs
@@ -37,7 +37,8 @@ public async Task EnsureRequiresAuth(Uri url, bool? useBadChannelBindings) {
 
         var supportedAuthSchemes = await GetSupportedNtlmAuthSchemesAsync(url);
 
-        _logger.LogDebug($"Supported NTLM auth schemes for {url}: " + string.Join(",", supportedAuthSchemes));
+        _logger.LogDebug("Supported NTLM auth schemes for {Url}: {AuthSchemes}. UseBadChannelBindings: {UseBadChannelBinding}. UseBadChannelBindings is null: {UseBadChannelBindingsIsNull}", 
+            url, string.Join(",", supportedAuthSchemes), useBadChannelBindings ?? false, !useBadChannelBindings.HasValue);
 
         foreach (var authScheme in supportedAuthSchemes) {
             if (useBadChannelBindings == null) {
diff --git a/src/CommonLib/Ntlm/NtlmAuthenticationHandler.cs b/src/CommonLib/Ntlm/NtlmAuthenticationHandler.cs
@@ -38,22 +38,35 @@ public virtual async Task<object> PerformNtlmAuthenticationAsync(INtlmTransport
             Options.Signing,
             Options.Signing
         );
+        _logger.LogTrace("Starting {MethodName}", nameof(PerformNtlmAuthenticationAsync));
 
+        _logger.LogTrace("Check if cancellation token is requested.");
         cancellationToken.ThrowIfCancellationRequested();
+        _logger.LogTrace("After if cancellation token is requested.");
 
         // NEGOTIATE
+        _logger.LogDebug("Initial NTLM Negotiate Step.");
         var negotiateMsgBytes = context.Step();
+        _logger.LogTrace("Negotiate Step Complete.");
 
         // CHALLENGE
+        _logger.LogDebug("Challenge Negotiate bytes.");
         var challengeMessageBytes = await transport.NegotiateAsync(negotiateMsgBytes);
+        _logger.LogTrace("Challenge Negotiate bytes complete.");
 
+        _logger.LogTrace("Check if cancellation token is requested.");
         cancellationToken.ThrowIfCancellationRequested();
+        _logger.LogTrace("After if cancellation token is requested.");
 
         // AUTHENTICATE
+        _logger.LogDebug("Perform NTLM Authentication Step.");
         var authenticateMsgBytes = context.Step(challengeMessageBytes);
+        _logger.LogTrace("NTLM Authentication Step Complete.");
 
         // Perform final authentication
+        _logger.LogDebug("Perform final NTLM Authentication.");
         var response = await transport.AuthenticateAsync(authenticateMsgBytes);
+        _logger.LogTrace("After authentication complete.");
 
         return response;
     }
diff --git a/src/CommonLib/Processors/CAEnrollmentProcessor.cs b/src/CommonLib/Processors/CAEnrollmentProcessor.cs
@@ -167,7 +167,7 @@ private async Task<APIResult<CAEnrollmentEndpoint>> GetNtlmEndpoint(Uri url, boo
                                     url.AbsoluteUri, useBadChannelBinding, type);
                                 break;
                             default:
-                                _logger.LogError("Unexpected status code while checking {Url}. StatusCode {StatusCode}. UseBadChannelBindings: {UseBadChannelBindings}, EnpointType: {EndpointType}",
+                                _logger.LogError("Unexpected status code while checking {Url}. StatusCode {StatusCode}. UseBadChannelBindings: {UseBadChannelBindings}, EndpointType: {EndpointType}",
                                     url.AbsoluteUri, statusCode, useBadChannelBinding, type);
                                 return APIResult<CAEnrollmentEndpoint>
                                     .Failure(
@@ -187,7 +187,7 @@ private async Task<APIResult<CAEnrollmentEndpoint>> GetNtlmEndpoint(Uri url, boo
                 _logger.LogError("HttpRequestException occurred checking NTLM accessibility for URL: {Url}. Exception: {Message}", url.AbsoluteUri, ex.Message);
                 return APIResult<CAEnrollmentEndpoint>
                     .Failure(
-                        $"HttpRequestException occured checking NTLM accessibility for URL: {url}. Exception: {ex.Message}");
+                        $"HttpRequestException occurred checking NTLM accessibility for URL: {url}. Exception: {ex.Message}");
             } catch (HttpUnauthorizedException ex) {
                 if (useBadChannelBinding == true) {
                     output.Status = CAEnrollmentEndpointScanResult.NotVulnerable_NtlmChannelBindingRequired;
