Forum Discussion

sstenger's avatar
sstenger
Icon for Nimbostratus rankNimbostratus
Sep 12, 2019

Error deploying ADFS 3.0 WAP replacement with APM

I have a working ADFS WAP replacement and now need to provide secure authentication using APM, but received an error when updating the config using the iApp Template.

 

Environment:

model BIP-IP 5050

version BIG-IP 13.1.1.4 Build 0.0.4 Point Release 4

IAppTemplate: f5.microsoft_adfs.v1.2.0rc9

 

Which version of AD FS are you deploying? ADFS 2012 (3.0)

Which AD FS server role is BIG-IP being deployed in front of? ADFS

What type of network connects clients to the BIG-IP WAN

Which VLANs transport client traffic? internal

What type of network connects servers to the BIG-IP? WAN

Where will the virtual servers be in relation to the AD FS servers? different subnets

How have you configured routing on your AD FS servers? AD FS servers do not have a route to clients through the BIG-IP

How many connections per server do you expect? Fewer than 64,000

Do you want to provide secure authentication with BIG-IP APM? Yes

Would you like to configure BIG-IP as an ADFS Proxy? Yes

What is the account to be used for establishing proxy trust with ADFS? <account name>

What is the password associated with that account? ********************

Which Access Profile do you want to use? Create new

Do you want the iApp to configure Forms SSO? Yes

*** Which AAA Server object do you want to use? Create New

Which Active Directory server IP address in your domain can this BIG-IP system contact? FQDN: <servername.domainname> IP: <server's IP address>

Does your Active Directory domain allow anonymous binding? Require Credentials

Which Active Directory user with administrative permissions do you want to use? <ad user>

What is the associated password? <password>

What is the LDAP tree for this user account? <LDAP tree>

Does your Active Directory domain require a secure protocol for communication? No Secure protocol not required

How many seconds between Active Directory health checks? 10

Which port is used for Active Directory communication? 389

What is the FQDN of the Active Directory implementation for your AD FS users? <domainname>

Do you want to configure support for Azure MFA (via Azure MFA servers)? No

Which log settings would you like to use to log APM events? Do not specify

Which Client SSL profile do you want to use? Create new

Which SSL certificate do you want to use? <SSL cert>

Which SSL private key do you want to use? <SSL Key>

Which intermediate certificate do you want to use? Do not use

Which Server SSL profile do you want to use? Create new

What IP address do you want to use for the virtual server? <VIP IP>

What service port do you want to use for the virtual server? 443

Which FQDN will clients use to access AD FS? <AD FS FQDN>

Which HTTP profile do you want to use? Create new

Do you want to create a new pool or use an existing one? <existing pool name>

Do you want to configure support for client certificate authentication? No

How do you want to optimize client-side connections? New profile

How do you want to optimize server-side connections? New profile

Do you want to add any custom iRules to the AD FS virtual server? none

###############################################################3

 

*** Existing AAA servers are not available from the drop down. The BIG-IP can communicate with AD and can enumerate AD groups.

 

Here is the error I receive:

 

script did not successfully complete: ("active-directory" unexpected argument

while executing

"tmsh::create [string range $args 7 end] "

("create" arm line 1)

invoked from within

"switch -exact -- [string range $args 0 5] {

create { tmsh::create [string range $args 7 end] }

modify { tmsh::modify [string r..."

(procedure "iapp_conf" line 14)

invoked from within

"iapp_conf create apm aaa active-directory ${app}_apm_aaa \{ admin-encrypted-password [expr { $credentials ? "[iapp_make_safe_password $::apm__active..."

invoked from within

"subst $substa_out"

invoked from within

"if { [info exists [set substa_in]] } {

set substa_out [subst $$substa_in]

set substa_out [subst $substa_out]

} else {

..."

("uplevel" body line 3)

invoked from within

"uplevel {

append ::substa_debug "\n$substa_in"

if { [info exists [set substa_in]] } {

set substa_out [subst $$substa_in]

..."

(procedure "iapp_substa" line 9)

invoked from within

"iapp_substa aaa_server($do_new_aaa)"

(procedure "configure_apm" line 48)

invoked from within

"configure_apm"

(procedure "configure_adfs_deployment" line 386)

invoked from within

"configure_adfs_deployment" line:983)

 

Any help you can provide would be greatly appreciated.

 

Thanks in advanced

-SS

  • Hello , when I have seen this issue it has typically been resolved by one of the following or both:

     

    1. mcpd reload:

     

    K13030: Forcing the mcpd process to reload the BIG-IP configuration

    https://support.f5.com/csp/article/K13030

     

    2. De-provision APM Module and then Re-provision APM Module.

  • Dave W - Thank you so much. mcpd reload worked like a charm.

    -SS

  • Hello , when I have seen this issue it has typically been resolved by one of the following or both:

     

    1. mcpd reload:

     

    K13030: Forcing the mcpd process to reload the BIG-IP configuration

    https://support.f5.com/csp/article/K13030

     

    2. De-provision APM Module and then Re-provision APM Module.