Issue
User sees the following output when attempting to execute RepCLI authenticated commands:
Error: You are not authorized to run this command
Command failed, RepMgr encountered an error while processing command
Environment
VMware Carbon Black Cloud; Windows sensor
Resolution
- Enable bypass mode on the sensor from the VMware Carbon Black Cloud Console (Endpoints > Select Endpoint > Take Action > Enable Bypass).
- Open the cfg.ini file as an Administrator in a text editor.
(C:\Program Files\Confer
) - sensor version 3.6 and below
(%programdata%\CarbonBlack\DataFiles
) - sensor version 3.7 and above - Add the following line with actual Active Directory Group or User SID (Note: Only one SID can be specified; replace <DesiredSID> with an actual SID)
AuthenticatedCLIUsers=<DesiredSID>
e.g.AuthenticatedCLIUsers=S-1-5-32-1045337234-12924708993-5683276719-19000
- Ensure that the SID being used is for a valid user with administrative permissions. SIDs for disabled accounts will not work.
- Execute the following command from an elevated command prompt to find SIDs associated with the local device:
whoami /groups
- Save changes to cfg.ini using the "Save As" option; maintain the same file name and select a destination outside of the cfg.ini directory (in some cases, it may be necessary to reboot the endpoint for the configuration change to take effect).
- Move the old cfg.ini file out of its file path and keep as a backup.
- Move the new cfg.ini with the SID entry into the appropriate directory.
- Run the following RepCLI command (from an elevated command prompt):
C:\Program Files\Confer\repcli updateconfig
- Run the following RepCLI command to disable Bypass:
C:\Program Files\Confer\repcli bypass 0
To Enable RepCLI Authentication With Live Response
- Enable bypass mode on the sensor from the VMware Carbon Black Cloud Console.
- Initiate a Live Response session from the Console (Endpoints > Go Live).
- Run the following command in Live Response to edit the Sensor configuration file and allow RepCLI Authentication with the Windows System SID that the LR session utilizes:
exec powershell.exe Add-Content -Path '<insert cfg.ini file path>' -Value AuthenticatedCLIUsers=S-1-5-18
(Note: The above command should be typed out on one line. Also, ensure that the proper file path is specified for the sensor version that is installed on the connected endpoint) - Change directory in the LR Session to the RepCLI.exe location
cd C:\Program Files\Confer
- Run the following RepCLI command to force the Sensor to reload the configuration file
execfg repcli updateconfig
- Test RepCLI authentication by running a protected command:
execfg repcli bypass 0
orexecfg repcli cloud hello
- If the commands did not work and the presence of the AuthenticatedCLIUsers was added to the file, it may be necessary to reboot the endpoint for the change to take effect.
Comments
0 comments
Please sign in to leave a comment.