diff --git a/server/auth/types/authentication_type.ts b/server/auth/types/authentication_type.ts
index 6fade61fd..6889034dc 100644
--- a/server/auth/types/authentication_type.ts
+++ b/server/auth/types/authentication_type.ts
@@ -75,11 +75,6 @@ export abstract class AuthenticationType implements IAuthenticationType {
   }
 
   public authHandler: AuthenticationHandler = async (request, response, toolkit) => {
-    // allow access to assets
-    if (request.url.pathname && request.url.pathname.startsWith('/bundles/')) {
-      return toolkit.authenticated();
-    }
-
     // skip auth for APIs that do not require auth
     if (this.authNotRequired(request)) {
       return toolkit.authenticated();
@@ -119,6 +114,14 @@ export abstract class AuthenticationType implements IAuthenticationType {
       if (!cookie || !(await this.isValidCookie(cookie))) {
         // clear cookie
         this.sessionStorageFactory.asScoped(request).clear();
+
+        // for assets, we can still pass it to resource handler as notHandled.
+        // marking it as authenticated may result in login pop up when auth challenge
+        // is enabled.
+        if (request.url.pathname && request.url.pathname.startsWith('/bundles/')) {
+          return toolkit.notHandled();
+        }
+
         // send to auth workflow
         return this.handleUnauthedRequest(request, response, toolkit);
       }
@@ -157,6 +160,9 @@ export abstract class AuthenticationType implements IAuthenticationType {
       } catch (error) {
         this.logger.error(`Failed to resolve user tenant: ${error}`);
         if (error instanceof UnauthenticatedError) {
+          if (request.url.pathname && request.url.pathname.startsWith('/bundles/')) {
+            return toolkit.notHandled();
+          }
           return this.handleUnauthedRequest(request, response, toolkit);
         }
         throw error;
diff --git a/server/multitenancy/tenant_resolver.ts b/server/multitenancy/tenant_resolver.ts
index 9d32161e0..8718d38fe 100644
--- a/server/multitenancy/tenant_resolver.ts
+++ b/server/multitenancy/tenant_resolver.ts
@@ -80,6 +80,8 @@ export function isMultitenantPath(request: KibanaRequest): boolean {
     request.url.pathname?.startsWith('/elasticsearch') ||
     request.url.pathname?.startsWith('/api') ||
     request.url.pathname?.startsWith('/app') ||
+    // bootstrap.js depends on tenant info to fetch kibana configs in tenant index
+    (request.url.pathname?.indexOf('bootstrap.js') || -1) > -1 ||
     request.url.pathname === '/'
   );
 }