User sees the following output when attempting to execute RepCLI authenticated commands:
Error: You are not authorized to run this command
Command failed, RepMgr encountered an error while processing command
VMware Carbon Black Cloud; Windows sensor
- Enable bypass mode on the sensor from the VMware Carbon Black Cloud Console (Endpoints > Select Endpoint > Take Action > Enable Bypass).
- Open the cfg.ini file as an Administrator in a text editor.
C:\Program Files\Confer) - sensor version 3.6 and below
%programdata%\CarbonBlack\DataFiles) - sensor version 3.7 and above
- Add the following line with actual Active Directory Group or User SID (Note: Only one SID can be specified; replace <DesiredSID> with an actual SID)
- Save changes to cfg.ini using the "Save As" option; maintain the same file name and select a destination outside of the cfg.ini directory (in some cases, it may be necessary to reboot the endpoint for the configuration change to take effect).
- Move the old cfg.ini file out of its file path and keep as a backup.
- Move the new cfg.ini with the SID entry into the appropriate directory.
- Run the following RepCLI command (from an elevated command prompt):
C:\Program Files\Confer\repcli updateconfig
- Run the following RepCLI command to disable Bypass:
C:\Program Files\Confer\repcli bypass 0
To Enable RepCLI Authentication With Live Response
- Enable bypass mode on the sensor from the VMware Carbon Black Cloud Console.
- Initiate a Live Response session from the Console (Endpoints > Go Live).
- Run the following command in Live Response to edit the Sensor configuration file and allow RepCLI Authentication with the Windows System SID that the LR session utilizes:
exec powershell.exe Add-Content -Path '<insert cfg.ini file path>' -Value AuthenticatedCLIUsers=S-1-5-18
(Note: The above command should be typed out on one line. Also, ensure that the proper file path is specified for the sensor version that is installed on the connected endpoint)
- Change directory in the LR Session to the RepCLI.exe location
cd C:\Program Files\Confer
- Run the following RepCLI command to force the Sensor to reload the configuration file
execfg repcli updateconfig
- Test RepCLI authentication by running a protected command:
execfg repcli bypass 0
execfg repcli cloud hello
- If the commands did not work and the presence of the AuthenticatedCLIUsers was added to the file, it may be necessary to reboot the endpoint for the change to take effect.