Users are receiving a pop-up asking to "select a certificate to authenticate yourself" when accessing Bitbucket

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

After upgrading Bitbucket, a few users are receiving a pop-up asking to Select a certificate to authenticate yourself to <Bitbucket server web address>:443. The pop-up appears when the user access the Bitbucket dashboard. User receives window prompt asking for certificate. If a user clicks okay, it results in the page not loading. If the user selects cancel, they are telling the site to not use the certificate as a method of authentication.

Environment

  • Bitbucket Server running on Windows

  • Any browser is affected. Tested in Chrome, Edge, Firefox

  • Using a certificate issuer by MS-Organization-Access

  • Customized bitbucket.properties property for server.ssl.client-auth

Diagnosis

  • Verify pop-up message received is Select a certificate to authenticate yourself to <Bitbucket server web address>:443.

  • Verify custom configuration for the property server.ssl.client-auth in file $BITBUCKET_HOME/shared/bitbucket.properties.

  • Verify certificate issuer is MS-Organization-Access.

Cause

The certificate issuer MS-Organization-Access comes from Active Directory Federation Services and the certificate is automatically generated when someone uses a federated service such as Azure.

Solution

The solution is to remove the bitbucket.properties configuration for the parameter server.ssl.client-auth.

By commenting out the parameter server.ssl.client-auth=want, you are setting the parameters as Tomcat's default value of false. When setting that parameter as want or need, you are saying you want to enable client authentication, so if the server.ssl.client-auth property is not set, then the users will not receive the pop-up.

The server.ssl.client-auth property should only be used in very specific business cases where client authentication is also required.

  1. Stop Bitbucket

  2. Open the $BITBUCKET_HOME/shared/bitbucket.properties file

  3. remove or comment the server.ssl.client-auth=want parameters

  4. Start the application

Users will no longer be prompted to select a certificate.

Updated on March 18, 2025
Platform
Data Center only
Product
Bitbucket Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community