Kafka Error SASL_AUTHENTICATION_FAILED
Error code 58 · Non-retriable Security
SASL Authentication failed.
Common Causes
- Wrong credentials: username/password mismatch in JAAS config, or user deleted/password rotated in the credential store (SCRAM) without updating clients
- Kerberos clock skew exceeds 5 minutes between broker and client host, causing ticket validation to fail
- SASL mechanism mismatch: broker configured for `SCRAM-SHA-512` but client sends `PLAIN` (or vice versa)
Solutions
- For SCRAM: re-create credentials with `kafka-configs.sh --bootstrap-server localhost:9092 --alter --add-config 'SCRAM-SHA-512=[password=newpass]' --entity-type users --entity-name <user>` and update client JAAS
- For Kerberos: synchronize clocks with `chronyc tracking` / `ntpdate`, ensure broker and client keytabs are valid (`klist -e -k /etc/kafka/kafka.keytab`)
- Align `sasl.mechanism` on client with `sasl.enabled.mechanisms` on broker; check broker logs for the exact mechanism negotiation failure
Diagnostic Commands
# Look for authentication errors in logs
grep -i 'AuthenticationException\|SaslAuthentication\|SASL' /path/to/kafka/logs/server.log | tail -20
# Check user credential configuration
kafka-configs.sh --bootstrap-server localhost:9092 --describe --entity-type users --entity-name <user>Related APIs
This error can be returned by: SaslAuthenticate
Debugging Kafka errors? Conduktor Console gives you real-time visibility into your cluster. Explore all errors in the Error Decoder.