Error deploying ADFS 3.0 WAP replacement with APM
I have a working ADFS WAP replacement and now need to provide secure authentication using APM, but received an error when updating the config using the iApp Template.
Environment:
model BIP-IP 5050
version BIG-IP 13.1.1.4 Build 0.0.4 Point Release 4
IAppTemplate: f5.microsoft_adfs.v1.2.0rc9
Which version of AD FS are you deploying? ADFS 2012 (3.0)
Which AD FS server role is BIG-IP being deployed in front of? ADFS
What type of network connects clients to the BIG-IP WAN
Which VLANs transport client traffic? internal
What type of network connects servers to the BIG-IP? WAN
Where will the virtual servers be in relation to the AD FS servers? different subnets
How have you configured routing on your AD FS servers? AD FS servers do not have a route to clients through the BIG-IP
How many connections per server do you expect? Fewer than 64,000
Do you want to provide secure authentication with BIG-IP APM? Yes
Would you like to configure BIG-IP as an ADFS Proxy? Yes
What is the account to be used for establishing proxy trust with ADFS? <account name>
What is the password associated with that account? ********************
Which Access Profile do you want to use? Create new
Do you want the iApp to configure Forms SSO? Yes
*** Which AAA Server object do you want to use? Create New
Which Active Directory server IP address in your domain can this BIG-IP system contact? FQDN: <servername.domainname> IP: <server's IP address>
Does your Active Directory domain allow anonymous binding? Require Credentials
Which Active Directory user with administrative permissions do you want to use? <ad user>
What is the associated password? <password>
What is the LDAP tree for this user account? <LDAP tree>
Does your Active Directory domain require a secure protocol for communication? No Secure protocol not required
How many seconds between Active Directory health checks? 10
Which port is used for Active Directory communication? 389
What is the FQDN of the Active Directory implementation for your AD FS users? <domainname>
Do you want to configure support for Azure MFA (via Azure MFA servers)? No
Which log settings would you like to use to log APM events? Do not specify
Which Client SSL profile do you want to use? Create new
Which SSL certificate do you want to use? <SSL cert>
Which SSL private key do you want to use? <SSL Key>
Which intermediate certificate do you want to use? Do not use
Which Server SSL profile do you want to use? Create new
What IP address do you want to use for the virtual server? <VIP IP>
What service port do you want to use for the virtual server? 443
Which FQDN will clients use to access AD FS? <AD FS FQDN>
Which HTTP profile do you want to use? Create new
Do you want to create a new pool or use an existing one? <existing pool name>
Do you want to configure support for client certificate authentication? No
How do you want to optimize client-side connections? New profile
How do you want to optimize server-side connections? New profile
Do you want to add any custom iRules to the AD FS virtual server? none
###############################################################3
*** Existing AAA servers are not available from the drop down. The BIG-IP can communicate with AD and can enumerate AD groups.
Here is the error I receive:
script did not successfully complete: ("active-directory" unexpected argument
while executing
"tmsh::create [string range $args 7 end] "
("create" arm line 1)
invoked from within
"switch -exact -- [string range $args 0 5] {
create { tmsh::create [string range $args 7 end] }
modify { tmsh::modify [string r..."
(procedure "iapp_conf" line 14)
invoked from within
"iapp_conf create apm aaa active-directory ${app}_apm_aaa \{ admin-encrypted-password [expr { $credentials ? "[iapp_make_safe_password $::apm__active..."
invoked from within
"subst $substa_out"
invoked from within
"if { [info exists [set substa_in]] } {
set substa_out [subst $$substa_in]
set substa_out [subst $substa_out]
} else {
..."
("uplevel" body line 3)
invoked from within
"uplevel {
append ::substa_debug "\n$substa_in"
if { [info exists [set substa_in]] } {
set substa_out [subst $$substa_in]
..."
(procedure "iapp_substa" line 9)
invoked from within
"iapp_substa aaa_server($do_new_aaa)"
(procedure "configure_apm" line 48)
invoked from within
"configure_apm"
(procedure "configure_adfs_deployment" line 386)
invoked from within
"configure_adfs_deployment" line:983)
Any help you can provide would be greatly appreciated.
Thanks in advanced
-SS
Hello , when I have seen this issue it has typically been resolved by one of the following or both:
1. mcpd reload:
K13030: Forcing the mcpd process to reload the BIG-IP configuration
https://support.f5.com/csp/article/K13030
2. De-provision APM Module and then Re-provision APM Module.