Carbon Black Cloud: How to troubleshoot issues running authenticated RepCLI commands (Windows)
search cancel

Carbon Black Cloud: How to troubleshoot issues running authenticated RepCLI commands (Windows)

book

Article ID: 285329

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Provide steps to determine issue with trying to run authenticated commands using RepCLI for the Windows Sensor 
Example error:
Error: You are not authorized to run this command
Command failed, RepMgr encountered an error while processing command

Environment

  • Carbon Black Cloud (formerly Predictive Security Cloud or PSC)Console: All Versions
    • CB Defense
    • CB ThreatHunter
  • PSC Sensor: 3.3.x.x and Higher
  • Microsoft Windows: All Supported Versions

Resolution

  1. Connect to endpoint
  2. Launch cmd.exe
  3. Verify the SID currently set for authenticated RepCLI commands 
    find "AuthenticatedCLIUsers" "<insert cfg.ini file path>"
  4. Verify the SID of the user and the groups to which they belong 
    whoami /user /groups
  5. Compare the SID from step 3 to those shown in step 4

Additional Information

  • A mismatch between the SIDs from steps 3 and 4 is the cause of not being authorized to run RepCLI commands requiring authentication
  • If the user trying to run an authenticated RepCLI command does not match the AuthenticatedCLIUsers field in the cfg.ini file, that user will not be authorized to run such commands
  • The SID specified in the AuthenticatedCLIUsers field (cfg.ini) can either be for a single User account, or for a Group to which the user belongs
  • As authenticated RepCLI commands allow for placing a Sensor into Bypass, re-registration with the backend, etc., it is not advised to use SIDs of insecure Groups and/or Users
Powered by Wolken Software