Summary

After upgrading Bitbucket, a few users are receiving a pop-up asking to Select a certificate to authenticate yourself to <Bitbucket server web address>:443. The pop-up appears when the user access the Bitbucket dashboard. User receives window prompt asking for certificate. If a user clicks okay, it results in the page not loading. If the user selects cancel, they are telling the site to not use the certificate as a method of authentication.

Environment

• Bitbucket Server running on Windows
• Any browser is affected. Tested in Chrome, Edge, Firefox
• Using a certificate issuer by MS-Organization-Access
  
• Customized bitbucket.properties property for server.ssl.client-auth

Diagnosis

• Verify pop-up message received is Select a certificate to authenticate yourself to <Bitbucket server web address>:443.
• Verify custom configuration for the property server.ssl.client-auth in file $BITBUCKET_HOME/shared/bitbucket.properties.
• Verify certificate issuer is MS-Organization-Access.

Cause

The certificate issuer MS-Organization-Access comes from Active Directory Federation Services and the certificate is automatically generated when someone uses a federated service such as Azure.

Solution

The solution is to remove the bitbucket.properties configuration for the parameter server.ssl.client-auth.

By commenting out the parameter server.ssl.client-auth=want, you are setting the parameters as Tomcat's default value of false. When setting that parameter as want or need, you are saying you want to enable client authentication, so if the server.ssl.client-auth property is not set, then the users will not receive the pop-up.

The server.ssl.client-auth property should only be used in very specific business cases where client authentication is also required.

1. Stop Bitbucket
2. Open the $BITBUCKET_HOME/shared/bitbucket.properties file
3. remove or comment the server.ssl.client-auth=want parameters
4. Start the application

Users will no longer be prompted to select a certificate.