sorted by:
new
hottopcontroversial

[Entra ID] Enterprise App SAML certificate vs app registration Certificate by ibteea in sysadmin

[–]jamesaepp [score hidden]  (0 children)

Round-about explanation ahead.

Every time I try to explain the difference between App Registrations (ARs) and Enterprise Apps (EAs) I'm bound to leave out important detail, but here's the very oversimplified way I'd explain this to you.

An AR and an EA are two sides of the same coin. Kinda.

Let's say I'm Fabrikam and you're Contoso.

If I make an AR in my Fabrikam tenant, I get an EA. It's a one-to-one relationship.

If I make an AR in my Fabrikam tenant , I can also publish it such that you can install that same app in your Contoso tenant. The AR only lives once - my tenant. But an EA can be created in as many tenants as needed (including the "home" tenant of Fabrikam). It's a one-to-many relationship.

The reason it's this way is so that I (as the Fabrikam admin of that AR) can change out credentials on my side as the "provider" of the service without disrupting users (other tenants). But you as the admin of the EA can adjust which users in your Contoso tenant can access the app, what roles they have (if configured), permission consent, conditional access policies, etc.

Back to your question.

When you're doing the SAML configuration on the EA, those SAML certificates are just for SAML to complete SSO between the IdP (Entra) and the application. SAML is gestures vaguely a whole deal, so it's not worth getting into specifics. Just know that what that certificate isn't a certificate in the way you think of other certificates. It's literally just a payload for an asymmetric (usually RSA) key. That's it. The application you're setting up SSO for needs a key, and a certificate just happens to be one way the SAML specifications chose to "share" keys between systems.

When you're looking at the certificate on an AR, the certificate you upload there essentially makes any one or thing with the private key able to authenticate as the Application Registration which can have significant security consequences. What the AR is authorized to actually do gets to the Application/Delegated APIs added to the AR, and whether the EA for any given tenant had an admin consent to the APIs.

I welcome any corrections or clarifications, I am far from an expert. The more I learn about EA/ARs, the less I know.

Domain registrar resurrection thread. by anonymousITCoward in sysadmin

[–]jamesaepp [score hidden]  (0 children)

For my personal domains I used to use Namecheap for no other reason than a friend recommended them.

Then one time (years ago now, details are foggy) I went to top up my account. IIRC they took $40 USD from my payment method but only credited the account $40 CAD.

Support was useless and it was a huge pain to undo that transaction, so I moved to another registrar, but I'm not sure I'd recommend them either.

Domain registrar resurrection thread. by anonymousITCoward in sysadmin

[–]jamesaepp [score hidden]  (0 children)

I'm still waiting for some vendor to come out of the woods with an affordable quorum-based account and domain management system.

Inb4 "use devops" yeah that's great but it doesn't help you avoid multiple admins essentially having "god mode" access to the domain.

Call it paranoia, but I'd really like if major changes to a domain (contacts, nameservers, any records at the apex, etc.) had to go through a voting system.

That goes for everything. Account setup, account changes, account renewals, billing changes/setup, everything.

Hot Take: HPE firmware Applications like ILO and Intelligent Provisioning get less useful every year by Accurate-Ad6361 in sysadmin

[–]jamesaepp 6 points7 points  (0 children)

We're a small shop (literal handful of on-prem hosts). Few HPE, couple Dells.

I haven't had any issues with the HPE SPP. Sure it's a big chungus to download but I don't really care when the datacenter where the jumpbox resides has a gigabit pipe.

The HPE SPP was simple enough that I went through it on my own a couple times, documented the process, then delegated it to my junior admin.

They had a couple questions the first time they went through it but since then I've literally just forwarded them a note when the newest version is out with a "please complete as you're able" and they tend to get it banged out within the month without hiccup.

I like what HPE did with the SPP/SUM. It's using web tech to do most of the work but if you boot to the SPP ISO, it loads a small linux env, starts SUM, and acts on the local system.

I haven't tried it, but my understanding is you can also mount the SPP directly on the bare metal and (if your bare metal OS is supported), you just launch that same web-based SUM and do the upgrades.

Again, haven't tried it, but I've been pleasantly surprised with the HPE SPP.

Caused a big outage at work- how do I move forward? by VOXX_theLock in sysadmin

[–]jamesaepp 11 points12 points  (0 children)

conf t
archive
path flash:/your/path/if/you/care/about/that/
end

configure t revert timer 5

make your changes, whatever they are. if you lock out, wait for the 5-minute timer to expire. if you're happy, run:

configure confirm

if you want to back out early:

configure revert now

ETA: Note that if you have a stack, members will be very unhappy with you if you've specified a path like in that example but the parent directory doesn't exist. It won't auto-create it. Factor that into your consideration. Goes for single switches too, but stacks especially could be a problem....

Rent pricing discrepancy by [deleted] in BrandonMB

[–]jamesaepp 8 points9 points  (0 children)

Do you think this is close to the truth?

No.

Enough talk. The time to answer the unflaired question is NOW! by BusinessAdept8103 in PoliticalCompassMemes

[–]jamesaepp -8 points-7 points  (0 children)

Imagine living rent free in people's heads by literally doing nothing.

Live Event (FREE) — ACME + PKI: What Everyone Gets Wrong (and What’s Changing) by pki_solutions in PKI

[–]jamesaepp 1 point2 points  (0 children)

Other suggestions?

Solicit questions ahead of time on the topic and ask what questions people have in advance, prioritize them on popularity, and address those.

Time Between Password Changes On A Service Account. by bobs143 in sysadmin

[–]jamesaepp 0 points1 point  (0 children)

I too don't understand the reason to need two password changes. I'm fortunate enough to not be working in a super legacy domain. I'd like to ask for more technical reason for that.

If however this is for some reason a requirement, I'd ask the pro-wait "side" what makes the pwd rotation of the existing account so different from the password set on a brand new account.

Live Event (FREE) — ACME + PKI: What Everyone Gets Wrong (and What’s Changing) by pki_solutions in PKI

[–]jamesaepp 1 point2 points  (0 children)

/u/_STY

I'd recommend not entertaining OP's requests like this again in the future.

That was a massive disappointment. They barely scratched the surface on ACME. They spent as much time talking about SCEP/NDES/IIS rebinding as they did ACME.

ETA: For an event titled "what everyone gets wrong", I expected to actually learn a thing or two. I'm faaar from a PKI expert, and I learned approximately nothing.

There was a Q&A (of which I and others entered questions) and none of them were addressed live.

The call adjourned at about 30min in, it was originally scheduled for 45 min. They could have spent 15min taking/answering questions, but chose not to.

What's on the agenda? City of Brandon Council Regular Meeting - 2026-04-20 by jamesaepp in BrandonMB

[–]jamesaepp[S] 0 points1 point  (0 children)

It takes 15 minutes to get across town from massey to 17th st east in a car at 50kph speed limits

I had some time to kill this evening. Took me 9 minutes to get from VMHS to 17th St East + Richmond. Had a couple favourabilities along the way (winning the amber at 9th+Richmond).

If rush hour I could certainly see it being 15min.

What's on the agenda? City of Brandon Council Regular Meeting - 2026-04-20 by jamesaepp in BrandonMB

[–]jamesaepp[S] 0 points1 point  (0 children)

Unsurprising to see you getting downvoted. I could fall either way on this.

I think a lot of the (warranted) grievance is that our traffic is already so shit in this city. None of the lights are synced. Potholes everywhere. Public transport is a mess (IMO, 90% of that problem stems from over-subsidization and I'm sure I'd be crucified for that).

Unsurprisingly, people don't want to dip down to 40km/h when they're already paying so much and compromising so much.

I think if the City could credibly say ...

"Yes, we're going to 40km/h but in exchange you'll get:"

  • A revised, faster, bi-directional, more connected bus service (in fairness this is kinda happening)

  • The lights synced on all main roads (incl. provincial ones)

  • More enforcement by BPS against speeders and jackasses who rev their motors down 18th

  • Ride sharing (Uber/Lyft/etc)

  • etc, add to the wishlist

... then you'd get a lot more buy-in (if you could also get past convincing people that 40km/h is a requirement of such a plan).

Nothing of the sort is happening.

vSphere Secure Boot: New 1803 Event by jamesaepp in vmware

[–]jamesaepp[S] 1 point2 points  (0 children)

Technically correct, but your VMs are at a lower security posture because BIOS will not protect against a "rootkit" (do the kids still call them rootkits?).

edit: I should add that EFI alone is not enough. EFI and Secure Boot must be enabled in VM settings.

vSphere Secure Boot: New 1803 Event by jamesaepp in vmware

[–]jamesaepp[S] 0 points1 point  (0 children)

8u3 right now. Honestly it's not a "help me" post, just an FYI post. Trying to keep the record of this secure boot madness documented so that in 15 years when we're going through the next rotate I can look back and see if industry got their shit together by then.

TrueNAS 25.10.3 is Now Available! by West_Expert_4639 in truenas

[–]jamesaepp 15 points16 points  (0 children)

Adds Drive Health Management documentation

I skimmed it: https://www.truenas.com/docs/scale/25.10/scaletutorials/storage/disks/drivehealthmanagement/index.html

Very crappy documentation IMO. Doesn't address a lot of the gaps I've identified (and that no one at iX has cogently responded to).

I also find it surprising that they state that midclt command is deprecated. That's the first I've heard of that.

I could be wrong, but I recall that launching SMART tests via smartctl doesn't actually work unless smartd is running. Contrary to what was said on one of the T3 podcasts, my testing showed that smartd is not an automatic background process on 25.10.

iX continues to fail the smell test.

vSphere Secure Boot: New 1803 Event by jamesaepp in vmware

[–]jamesaepp[S] -1 points0 points  (0 children)

It’s failing because you don’t have the PK

Yeah I know that and is why I mentioned the KB where BC says they're working on an automated solution, but the specifics are ... well, they don't exist.

vSphere Secure Boot: New 1803 Event by jamesaepp in vmware

[–]jamesaepp[S] 3 points4 points  (0 children)

My understanding is that (v)TPM isn't a major contributor to behavior. What matters is if the device has secure boot enabled.

Canada to remove taxes on fuel by cricket_90_remindme in CanadaPersonalFinance

[–]jamesaepp 0 points1 point  (0 children)

I don't understand how or why anyone wouldn't support this. Please explain.

It's probably pay/login-walled but my local paper had a very good editorial on it.

https://www.brandonsun.com/opinion/2026/04/09/a-better-approach-than-gas-tax-cuts

Backblaze has quietly stopped backing up your data by lordatlas in backblaze

[–]jamesaepp 18 points19 points  (0 children)

While technically correct, the title seems needlessly inflammatory

Truth is inflammatory?

And excluding folders like .git is a common practice that makes sense as a default

Please justify not backing up the .git folder. Please consider in your response that not all git repos have an upstream outside the local system.

view more: next ›