Kafka Error DELEGATION_TOKEN_REQUEST_NOT_ALLOWED
Error code 64 · Non-retriable Security
Delegation Token requests are not allowed on PLAINTEXT/1-way SSL channels and on delegation token authenticated channels.
Common Causes
- Client is connected via PLAINTEXT listener and attempting to create/renew a delegation token — tokens require an authenticated channel
- Client is using one-way SSL (server auth only) without client certificate, which does not establish client identity
- Misconfigured inter-broker listener is sending token requests over an unencrypted channel
Solutions
- Switch client connection to a SASL_SSL or SASL_PLAINTEXT listener before making delegation token requests
- Configure two-way SSL (mutual TLS) if SSL-based token auth is required: set `ssl.client.auth=required` on the broker listener
- Ensure the listener used for delegation token operations has `sasl.enabled.mechanisms` configured and the client has a valid JAAS config
Diagnostic Commands
# Check listener config in broker properties
grep -E '^listeners|^advertised.listeners|ssl.client.auth' /path/to/server.properties
# Search logs for related error messages
openssl s_client -connect localhost:9093 -showcerts 2>&1 | grep -E 'subject|issuer|Verify'Related APIs
This error can be returned by: CreateDelegationToken · DescribeDelegationToken · ExpireDelegationToken · RenewDelegationToken
Debugging Kafka errors? Conduktor Console gives you real-time visibility into your cluster. Explore all errors in the Error Decoder.