Unable to login to Bitbucket, even with lockout recovery process

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform notice: Server and Data Center only. This article only applies to Atlassian products on the server and data center platforms.

Summary

The administrator is unable to authenticate to the application via active directory, local admin user, or the recovery admin ID, following the lockout recovery process.

Environment

Bitbucket Server & Data Center

Diagnosis

After following the lockout recovery process, authentication with the recovery_admin ID fails. Navigating to the atlassian-bitbucket.log shows the following error stack-trace:

2021-07-15 11:27:37,399 DEBUG [AtlassianEvent::thread-2] @17HWPXFx799x5x0 127.0.0.1 "POST /j_atl_security_check HTTP/1.1" c.a.stash.internal.crowd.RiotPolice Couldn't update the lastAuthenticationTimestamp attribute for recovery_admin
com.atlassian.crowd.exception.OperationNotPermittedException: com.atlassian.crowd.exception.ApplicationPermissionException: Not allowed to update user attributes 'recovery_admin' in directory 'Recovery Mode Directory'.
   at com.atlassian.crowd.embedded.core.CrowdServiceImpl.setUserAttribute(CrowdServiceImpl.java:335)
   at com.atlassian.crowd.embedded.core.CrowdServiceImpl.setUserAttribute(CrowdServiceImpl.java:324)
   at com.atlassian.stash.internal.crowd.RiotPolice.lambda$setUserAttribute$9(RiotPolice.java:599)
   at com.atlassian.stash.internal.crowd.RiotPolice$VoidCrowdCallback.execute(RiotPolice.java:797)
   at com.atlassian.stash.internal.crowd.RiotPolice$VoidCrowdCallback.execute(RiotPolice.java:792)
   at com.atlassian.stash.internal.crowd.RiotPolice.execute(RiotPolice.java:746)
   at com.atlassian.stash.internal.crowd.RiotPolice.setUserAttribute(RiotPolice.java:597)
   at com.atlassian.stash.internal.user.DefaultUserService.updateLastAuthentication(DefaultUserService.java:550)
   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
   at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at jdk.internal.reflect.GeneratedMethodAccessor383.invoke(Unknown Source)
   at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at com.atlassian.stash.internal.user.UserAuthenticationTracker.lambda$onAuthenticationSuccess$0(UserAuthenticationTracker.java:44)
   at com.atlassian.stash.internal.concurrent.Gate.callIfNotRecentlyRun(Gate.java:37)
   at com.atlassian.stash.internal.user.UserAuthenticationTracker.onAuthenticationSuccess(UserAuthenticationTracker.java:42)
   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
   at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at com.atlassian.event.internal.SingleParameterMethodListenerInvoker.invoke(SingleParameterMethodListenerInvoker.java:42)
   at com.atlassian.diagnostics.internal.platform.event.EventSystemMonitor.invokeMonitored(EventSystemMonitor.java:109)
   at com.atlassian.diagnostics.internal.platform.event.MonitoredListenerInvoker.invoke(MonitoredListenerInvoker.java:38)
   at com.atlassian.stash.internal.event.AsyncBatchingInvokersTransformer$AsyncInvokerBatch.invoke(AsyncBatchingInvokersTransformer.java:111)
   at com.atlassian.event.internal.AsynchronousAbleEventDispatcher.lambda$null$0(AsynchronousAbleEventDispatcher.java:37)
   at com.atlassian.sal.core.executor.ThreadLocalDelegateRunnable.run(ThreadLocalDelegateRunnable.java:34)
   at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
   at com.atlassian.stash.internal.event.EventThreadFactory.lambda$createThread$0(EventThreadFactory.java:27)
   at java.base/java.lang.Thread.run(Thread.java:834)
   ... 22 frames trimmed
Caused by: com.atlassian.crowd.exception.ApplicationPermissionException: Not allowed to update user attributes 'recovery_admin' in directory 'Recovery Mode Directory'.
   at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.storeUserAttributes(ApplicationServiceGeneric.java:652)
   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
   at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at com.atlassian.crowd.embedded.core.CrowdServiceImpl.setUserAttribute(CrowdServiceImpl.java:333)
   ... 28 common frames omitted

The key part of the message is: ApplicationPermissionException: Not allowed to update user attributes 'recovery_admin' in directory 'Recovery Mode Directory'

Cause

The cause for this is likely a misconfigured proxy or load balancer. 

Solution

Option 1 - Correct misconfigured proxy settings

You'll need to review your proxy configuration settings and ensure your instance is configured appropriately. These settings exist in your bitbucket.properties file. You can view our customizations page to see some examples of configuring for proxy or load balancer.

Option 2 - Bypass proxy settings

You can bypass a reverse proxy or disable the proxy settings to access the application server directly via machine name, or IP.

How to Bypass

To bypass, you will need to add an additional connector port to your bitbucket.properties file and access in your browser at the machine or IP address plus the port:

server.additional-connector.1.port=7997

Example URL from the above port: http://machine-name:7997

(info) The port number can be anything you define and that is accessible on the machine.


Disable Proxy Settings

You can disable the proxy settings by commenting them out in your bitbucket.properties file. Your standard settings will look like so:

server.secure=true
server.scheme=https
server.proxy-port=443
server.proxy-name=mycompany.com

To comment them out, simply add a hash symbol in front of the entry like so:

#server.secure=true
#server.scheme=https
#server.proxy-port=443
#server.proxy-name=mycompany.com

(warning) Any modification to the bitbucket.properties file requires a restart for the changes to take effect.


Last modified on Jul 15, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.