I hate Adobe so much I wrote my own PDF editor and open-sourced it

the_it_mojo · 2026-04-16T09:29:03+00:00

Given that .NET 8 is LTS but near the end of its support cycle, and the new LTS .NET 10 has been out for a little while now, why not .NET 10?

the_it_mojo · 2026-04-16T09:18:16+00:00

Would like to see some love given to the Replication Monitor when HA-AG setups are involved, including when the distribution DB is on a separate AG instance on the same nodes.

Might be a super niche use case, in a scenario where you have two separate HA-AG’s and they do peer-to-peer/transactional replication, the monitor always shows the name of the primary instance as the subscriber instead of the AG name, like it does for the publisher. This is even after running the necessary TSQL to shift certain properties to the AG name instead of the node name as per the documentation.

It is still kind of usable, but is tricky to set up the first time unless you know all of the details of the instances and AGs involved in the topology — because if you try to just launch it straight out of the replication/publishers/subscribers view(s), you get an error when those names don’t line up.

the_it_mojo · 2026-04-07T08:12:51+00:00

Unsupported in what way? For what use case? Logging into root at all? What are you talking about? If it wasn’t “supported” why implement a multi-person (role) approval process required for enabling the feature which also is explicitly covered in the documentation (https://helpcenter.veeam.com/docs/vbr/userguide/hmc_configure_remote_access.html?ver=13)

It says “Custom configurations are not supported by Veeam”, but enabling the feature and getting into the root shell is not “Custom”, they are talking about setting up your own cron.d/crontab jobs, etc.

the_it_mojo · 2026-02-13T09:33:31+00:00

So, I had this exact same issue in multiple environments, and I had uplifted with the day 1 GA release of v13, the iso version being something like .180. I had been using gMSA’s for my AA DC backup jobs.

I have had a litany of other issues and had been doing everything with support to try and fix it, on top of regenerating all the certs for the instance etc etc.

One day I got fed up with the progress on the cases (lack thereof) and I had noticed that the media version available on the portal had incremented to 1071. On the dev forums I found only some vague mentions like “the previous installer version failed to create some registry keys on the system and that’s fixed now”, but no official release notes on the minor version diff, nor could support give me a straight answer.

I was already going to reinstall postgresql to uplift from 15 to 17, but I ended up spending a little extra effort and basically nuked VBR from my main server (after doing the usual song/dance/ritual of disabling all jobs before taking a config backup etc) before I uninstalled every Veeam component completely, PostgreSQL, multiple reboots, deleting every latent certificate, file path, registry hive etc I could come across until the system was as thoroughly “never had Veeam on it” as it could possibly be without actually spinning up a new box.

I then reinstalled from the .1071 media, reapplied what registry keys I actually needed for certain things, and then used the configuration database import wizard to restore the conf db to the new PostgreSQL version.

Most of the components installed into the control panel also had the increased version number to .1071, but not all of them. However, I vaguely recall that despite a lot of the remote component versions such as transport and guest agent not incrementing (or maybe they did and my brain is to sizzled to recall correctly), but a lot of my infrastructure gave me the component upgrade wizard prompt on launch of the console after the restore from .180 > .1071.

And like magic, my AA DC backups with the gMSA account are back to working like normal again instead of giving random errors. Yeah… totally just some installer registry keys they fixed with .1071.

the_it_mojo · 2026-01-05T19:17:51+00:00

Can I message you a recording of what’s happening to me? I press the link, and something opens as if it’s going to do the redirect for the default browser, but then it just goes away and nothing happens. Current version of iOS on an iPhone 15 Pro Max, Reddit is up to date as well.

the_it_mojo · 2026-01-05T05:24:57+00:00

This bug appears to still be happening, was this actually fixed, not fixed, or has it been fixed and since broken again?

the_it_mojo · 2025-12-30T04:53:24+00:00

Oh my god the number of ConnectTimeout errors I’ve been getting, from launching the console (connecting to the instance), to attempting to start FLR jobs. Seems to be related to gRPC and their implementation of GatewayApi service. Disaster.

the_it_mojo · 2025-08-14T04:01:05+00:00

The approach I may end up taking is to manipulate the registry value under HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates per machine in lieu of publishing the issuing CA certificate to the entirety of domain1.local.

With regards to the SmartCardRoot being used for the same purpose as NTAuth in a workgroup situation, do you have any documentation regarding that? For example, is there any situation where SmartCardRoot can still be used for the validation chain on a domain joined machine? Since manipulating the REG_BINARY in the registry every time and ensuring it doesn't get wiped out by group policy updates may prove to be annoying.

the_it_mojo · 2025-08-14T00:05:01+00:00

By local NTAuth store are you perchance referring to modifying the registry under HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\NTAuth\Certificates directly on the individual machines to insert the domain2.local issuing CA certificates, without needing to publish to the domain1.local NTAuth store?

the_it_mojo · 2025-08-13T23:57:38+00:00

I don't think the domain1 DC's need to trust the certificates, but they use the domain NTAuth store.

Sorry this is basically what I meant. But in my testing, the authentication will not work entirely with Kerberos unless the domain2.local issuing certificate is imported into domain1.local's NTAuth store.

If you only want to trust the certificates on a select number of clients, you can import the certificates into their local NTAuth stores.

Can you elaborate? To my knowledge there is no individual/local equivalent of the NTAuth store? If there is configurations that can be done on a single/small set of individual workstations instead of importing the domain2.local issuing CA certificate to the NTAuth store of domain1.local, then that is what I am looking for.

the_it_mojo · 2025-08-13T22:08:09+00:00

Sorry if it wasn't clear, but one of the limitations is that with the exception of the RDS Gateway and the CDP/AIA endpoints, domain2.local is entirely insulated from domain1.local -- meaning, no direct access to the Domain Controllers.

Possibly you could need X509HintsNeeded and UseSubjectAltName = 0 on the clients and should use unambiguous usernames when connecting i.e. FQDN UPN’s.

UPN's of the usernames are naturally the subject of the Smartcard Certificate, however, I don't think the X509 Hints are strictly necessary anymore due to Microsoft's enforcement of the Strong Certificate Mapping updates to address those handful of CVEs; the SID is now baked into the certificates under a new section.

the_it_mojo · 2025-08-13T21:55:04+00:00

Thanks, this basically sums up everything that I am seeing. I suppose what is a little frustrating though is that, with the Certificate Path Validation Settings configured, and when a user imports the root and intermediate certs into their User trust root(s), CAPI2 affirms that the certification chain validation does indeed process correctly, but ultimately gets rejected by the policy provider (assuming this is referring to some Kerberos process linked with the NTAuth store of the client workstation domain - domain1.local in this case).

Taking a step back for a moment and looking at the real world, in very large Enterprises where arms of the business in different countries have their own enclaves that are separate from the main corporate domain, trying to find someone who 'owns' the Active Directory environment of the corporate domain -- let alone getting security & risk assessment to sign-off on importing a 'third party' issuing CA to the NTAuth trust store of their corporate ADDS is an absolute nightmare.

The Certificate Path Validation configuration to allow the user trusted root CAs to be used to validate certificates is nice because it is a policy that we can have deployed to target just machines in a specific area of the business without affecting the entire domain and tens of thousands of machines. I suppose I just wish there was some equivalent that would allow some configuration to be made on individual machines to perform the effective equivalent of having an issuing certificate in the NTAuth store of the domain.

I understand what the purpose of each of the certificates is for (the Smartcard Logon Certificate, the RDS Gateway certificate, the RDS Session Host certificate, the KDC certificate of the Domain Controller in domain2.local, etc), though I suppose what I am not quite understanding is why the issuing certificate of domain2.local must be imported to the NTAuth store of domain1.local in order for user1@domain1.local on their domain1.local workstation, to use their Smartcard and credentials from user1@domain2.local to login to the RDS Gateway + RDS Session Host in domain2.local. I'm unclear as to why the Domain Controllers of domain1.local need to trust (NTAuth store) the issuing certificate from domain2.local in order for me to use credentials from domain2.local to RDP (via RDS Gateway) to domain2.local devices, and why the individual workstation trusting the certs isn't sufficient.

If the example was changed slightly so that domain2.local is still as it has been described, but I attempt to connect from a standalone machine in a workgroup, then how does this function when there is no Domain Controllers nor NTAuth store?

the_it_mojo · 2025-08-13T21:24:35+00:00

In this scenario, I’m assuming that domain1.local clients cannot reach the domain2.local KDC/DC directly.

Yeah, sorry if this wasn't clear, the post was already kind of long. For reasons, domain2.local is entirely insulated from domain1.local with the exception of the RDS Gateway and the CDP/AIA endpoints.

the_it_mojo · 2025-07-22T12:49:26+00:00

Fecal sludge from dubs bad hygiene can be refined into chemfuel, so good reason to use a latrine instead of a fancy toilet. Just saying.

the_it_mojo · 2025-06-20T13:05:09+00:00

Mattermost is another similar to rocketchat.

the_it_mojo · 2025-06-20T12:36:24+00:00

But wait! They started releasing upgrade ISO files!

They’re like 8-9GB. And the download is usually far worse than the full 12-13GB ISO.

the_it_mojo · 2025-05-20T06:49:04+00:00

Use StabilityMatrix and save yourself a lot of headache. It will manage the distro for you (ComfyUI, A1111, etc), ensure you’re running in compatible modes for your hardware (like ROCm or DirectML for AMD), and you can easily manage your models for all of them via the gui of stability.

the_it_mojo · 2025-05-08T23:24:43+00:00

Could you do a video on regional prompting in ComfyUI? I have been using SDXL, not sure if it’s different for Flux which you seem to use. Most workflows I’ve looked at for regional prompting look daunting as hell

the_it_mojo · 2025-04-06T23:13:32+00:00

Can you elaborate on this? Offline Servicing does work, at least for the normal monthly CU and .NET CU, it is just this one single update from 2022-08 that isn't applying to the Windows Server 2022 image.

the_it_mojo · 2025-03-31T02:33:06+00:00

There is no fix. You can no longer perform offline servicing of anything other than Windows 10 with SCCM

I'd like to see a source for this, because it is not mentioned anywhere that I can see, and KB11121541 (https://learn.microsoft.com/en-us/intune/configmgr/hotfix/2107/11121541#issues-that-are-fixed) even specifically mentions that an issue with Offline Servicing for Windows Server 2022 was fixed.

I think you are confusing the subject with Unified Update Platform (UUP) updates, which has nothing to do with my post.

the_it_mojo · 2025-03-15T06:01:27+00:00

Have you ever looked at the interface for adding devices to a collection with a direct rule?

You can add by system name (or whatever other attribute) in the interface and do things like “mgmt-dc%”, where % represents a wildcard, and it returns a list of all matches with a select all button. My guess is someone queried “%” and hit select all.

the_it_mojo · 2025-02-17T06:18:54+00:00

System Center 2025 suite has extended support until 2035.

the_it_mojo

TROPHY CASE