Unable to login to Bitbucket, even with lockout recovery process
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
The administrator is unable to authenticate to the application via active directory, local admin user, or the recovery admin ID, following the lockout recovery process.
Environment
Bitbucket Server & Data Center
Diagnosis
After following the lockout recovery process, authentication with the recovery_admin ID fails. Navigating to the atlassian-bitbucket.log shows the following error stack-trace:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
2021-07-15 11:27:37,399 DEBUG [AtlassianEvent::thread-2] @17HWPXFx799x5x0 127.0.0.1 "POST /j_atl_security_check HTTP/1.1" c.a.stash.internal.crowd.RiotPolice Couldn't update the lastAuthenticationTimestamp attribute for recovery_admin
com.atlassian.crowd.exception.OperationNotPermittedException: com.atlassian.crowd.exception.ApplicationPermissionException: Not allowed to update user attributes 'recovery_admin' in directory 'Recovery Mode Directory'.
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.setUserAttribute(CrowdServiceImpl.java:335)
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.setUserAttribute(CrowdServiceImpl.java:324)
at com.atlassian.stash.internal.crowd.RiotPolice.lambda$setUserAttribute$9(RiotPolice.java:599)
at com.atlassian.stash.internal.crowd.RiotPolice$VoidCrowdCallback.execute(RiotPolice.java:797)
at com.atlassian.stash.internal.crowd.RiotPolice$VoidCrowdCallback.execute(RiotPolice.java:792)
at com.atlassian.stash.internal.crowd.RiotPolice.execute(RiotPolice.java:746)
at com.atlassian.stash.internal.crowd.RiotPolice.setUserAttribute(RiotPolice.java:597)
at com.atlassian.stash.internal.user.DefaultUserService.updateLastAuthentication(DefaultUserService.java:550)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at jdk.internal.reflect.GeneratedMethodAccessor383.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at com.atlassian.stash.internal.user.UserAuthenticationTracker.lambda$onAuthenticationSuccess$0(UserAuthenticationTracker.java:44)
at com.atlassian.stash.internal.concurrent.Gate.callIfNotRecentlyRun(Gate.java:37)
at com.atlassian.stash.internal.user.UserAuthenticationTracker.onAuthenticationSuccess(UserAuthenticationTracker.java:42)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at com.atlassian.event.internal.SingleParameterMethodListenerInvoker.invoke(SingleParameterMethodListenerInvoker.java:42)
at com.atlassian.diagnostics.internal.platform.event.EventSystemMonitor.invokeMonitored(EventSystemMonitor.java:109)
at com.atlassian.diagnostics.internal.platform.event.MonitoredListenerInvoker.invoke(MonitoredListenerInvoker.java:38)
at com.atlassian.stash.internal.event.AsyncBatchingInvokersTransformer$AsyncInvokerBatch.invoke(AsyncBatchingInvokersTransformer.java:111)
at com.atlassian.event.internal.AsynchronousAbleEventDispatcher.lambda$null$0(AsynchronousAbleEventDispatcher.java:37)
at com.atlassian.sal.core.executor.ThreadLocalDelegateRunnable.run(ThreadLocalDelegateRunnable.java:34)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at com.atlassian.stash.internal.event.EventThreadFactory.lambda$createThread$0(EventThreadFactory.java:27)
at java.base/java.lang.Thread.run(Thread.java:834)
... 22 frames trimmed
Caused by: com.atlassian.crowd.exception.ApplicationPermissionException: Not allowed to update user attributes 'recovery_admin' in directory 'Recovery Mode Directory'.
at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.storeUserAttributes(ApplicationServiceGeneric.java:652)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.setUserAttribute(CrowdServiceImpl.java:333)
... 28 common frames omittedThe key part of the message is: ApplicationPermissionException: Not allowed to update user attributes 'recovery_admin' in directory 'Recovery Mode Directory'
Cause
The cause for this is likely a misconfigured proxy or load balancer.
Solution
Option 1 - Correct misconfigured proxy settings
You'll need to review your proxy configuration settings and ensure your instance is configured appropriately. These settings exist in your bitbucket.properties file. You can view our customizations page to see some examples of configuring for proxy or load balancer.
Option 2 - Bypass proxy settings
You can bypass a reverse proxy or disable the proxy settings to access the application server directly via machine name, or IP.
How to Bypass
To bypass, you will need to add an additional connector port to your bitbucket.properties file and access in your browser at the machine or IP address plus the port:
1
server.additional-connector.1.port=7997Example URL from the above port: http://machine-name:7997
ℹ️ The port number can be anything you define and that is accessible on the machine.
Disable Proxy Settings
You can disable the proxy settings by commenting them out in your bitbucket.properties file. Your standard settings will look like so:
1
2
3
4
server.secure=true
server.scheme=https
server.proxy-port=443
server.proxy-name=mycompany.comTo comment them out, simply add a hash symbol in front of the entry like so:
1
2
3
4
#server.secure=true
#server.scheme=https
#server.proxy-port=443
#server.proxy-name=mycompany.com⚠️ Any modification to the bitbucket.properties file requires a restart for the changes to take effect.
Was this helpful?