License Type | SaaS & On-Premise |
Agent Mode | Assess & Protect |
Main Product Category | .NET Agent |
Sub Category | Connectivity |
Issue
You're experiencing one or more of the following symptoms:
- The .NET agent doesn't start successfully.
-
The Contrast Tray and/or .NET agent logs report errors when connecting to the Contrast application:
.NET Agent Windows Service failed to start. The agent cannot connect to TeamServer at: https://app.contrastsecurity.com.
-
Data from a server with the installed agent doesn't appear in the Contrast interface.
Cause
There can be several causes for this error but the end result is that the agent is unable to successfully communicate with the Contrast UI and is therefore unable to continue.
If the error states:
System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
then generally it is a failure to recognize the root CA.
If the error states one of the following:
System.Net.WebException: The remote name could not be resolved
Response Code: Unauthorized
Response Code: PreconditionFailed
then there is likely a credential error in the agent's configuration file.
The following error transitioning app domains may be experienced if your application targets a .NET Framework version prior to 4.7
:
Exception communicating with Contrast. Error: Error communicating with Contrast for request URL:'/Contrast/api/ng/servers/'. Exception: System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Exception: HttpRequestException cannot transition between app domains. Exception data was truncated at the boundary.
In the .NET Agent Sensor logs, search for TargetFramework:
to confirm the version of the .NET Framework being targeted.
Resolution
Certificate Issues
contrast.cer
:[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$webRequest = [Net.WebRequest]::Create("https://app.contrastsecurity.com")
try { $webRequest.GetResponse() } catch {}
$cert = $webRequest.ServicePoint.Certificate
$bytes = $cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)
set-content -value $bytes -encoding byte -path "$pwd\contrast.cer"
Option One - Obtain an exception
Contact the admin of the proxy/firewall (for example: BlueCoat) to see if a bypass can be added for this application server.
Option Two - Trust the certificate
On Windows, double-click the certificate to open it and select "Install Certificate...". Follow the wizard prompts to install the certificate to the Trusted Root Certification Authorities certificate store for the Local Machine.
On Linux, the certificate must be in PEM
format with the extension .crt
- you can acquire that using openssl as follows:
openssl s_client -showcerts -connect {Contrast UI hostname}:{port} </dev/null 2>/dev/null | openssl x509 -outform PEM > contrast.crt
And then import into the system's trust store by running the following commands as root (note that the ca-certificates
package must be installed on the system for this to succeed):
cp contrast.crt /usr/local/share/ca-certificates/ update-ca-certificates
Option Three - Ignore certificate exceptions
Certificate errors can be ignored by adding the following to the contrast_security.yaml
file on the server:
api:
certificate:
ignore_cert_errors: true
Configuration Issues
For other issues, open the .NET agent's configuration file, contrast_security.yaml
, which is located in the agent's working directory (i.e., %ProgramData%\Contrast\dotnet\
). Then:
- Verify that the
url
value is correct. It should look similar to the following, although will vary if you have an on-premise Contrast UI install:api:
Check the URL can be reached from a normal web browser on the server. If it can't be reached, you should review the network path and related settings between the server and the Contrast application.
url: https://app.contrastsecurity.com/Contrast - Verify proxy settings. If a normal web browser can connect to Contrast but the agent can't, the agent might be missing the proxy settings required by your network environment. You can configure a proxy using the following settings:
api:
proxy:
enable: true
url: <proxy url with port and scheme>
user: <proxy user if required>
pass: <proxy password if required>
auth_type: <proxy auth type if required> -
Verify that the values of
service_key
andapi_key
are correct. If the above settings are correct, the API key used by your organization might have changed. Follow these directions to view your current API Key.
Error Transitioning app domains
api: tls_versions: tls12 agent: dotnet: enable_http_client_app_domain_isolation: false
More detail on the .NET agent's configuration properties can be found here. All properties can also be set as environment variables - this is especially useful if it's not possible to store the proxy password in a configuration file.