What causes SaslAuthenticationException?

Wrong credentials: username/password mismatch in JAAS config, or user deleted/password rotated in the credential store (SCRAM) without updating clients Kerberos clock skew exceeds 5 minutes between broker and client host, causing ticket validation to fail SASL mechanism mismatch: broker configured for `SCRAM-SHA-512` but client sends `PLAIN` (or vice versa)

How do I fix SaslAuthenticationException?

For SCRAM: re-create credentials with `kafka-configs.sh --bootstrap-server localhost:9092 --alter --add-config 'SCRAM-SHA-512=[password=newpass]' --entity-type users --entity-name ` and update client JAAS For Kerberos: synchronize clocks with `chronyc tracking` / `ntpdate`, ensure broker and client keytabs are valid (`klist -e -k /etc/kafka/kafka.keytab`) Align `sasl.mechanism` on client with `sasl.enabled.mechanisms` on broker; check broker logs for the exact mechanism negotiation failure

Is SaslAuthenticationException retriable?

No — SaslAuthenticationException is not retriable. Retrying the same call will not help; the underlying cause must be fixed first.

Kafka Exception `SaslAuthenticationException`

org.apache.kafka.common.errors.SaslAuthenticationException

Non-retriable Security

This exception indicates that SASL authentication has failed. The error message in the exception indicates the actual cause of failure. SASL authentication failures typically indicate invalid credentials, but could also include other failures specific to the SASL mechanism used for authentication. Note:If evaluateResponse(byte[]) throws this exception during authentication, the message from the exception will be sent to clients in the SaslAuthenticate response. Custom SaslServer implementations may throw this exception in order to provide custom error messages to clients, but should take care not to include any security-critical information in the message that should not be leaked to unauthenticated clients.

Common Causes

Wrong credentials: username/password mismatch in JAAS config, or user deleted/password rotated in the credential store (SCRAM) without updating clients
Kerberos clock skew exceeds 5 minutes between broker and client host, causing ticket validation to fail
SASL mechanism mismatch: broker configured for `SCRAM-SHA-512` but client sends `PLAIN` (or vice versa)

Solutions

For SCRAM: re-create credentials with `kafka-configs.sh --bootstrap-server localhost:9092 --alter --add-config 'SCRAM-SHA-512=[password=newpass]' --entity-type users --entity-name <user>` and update client JAAS
For Kerberos: synchronize clocks with `chronyc tracking` / `ntpdate`, ensure broker and client keytabs are valid (`klist -e -k /etc/kafka/kafka.keytab`)
Align `sasl.mechanism` on client with `sasl.enabled.mechanisms` on broker; check broker logs for the exact mechanism negotiation failure

Example Stack Trace

org.apache.kafka.common.errors.SaslAuthenticationException: SASL Authentication failed.

Diagnostic Commands

# Look for authentication errors in logs
grep -i 'AuthenticationException\|SaslAuthentication\|SASL' /path/to/kafka/logs/server.log | tail -20

# Check user credential configuration
kafka-configs.sh --bootstrap-server localhost:9092 --describe --entity-type users --entity-name <user>

Protocol error: SASL_AUTHENTICATION_FAILED (code 58)

Hitting SaslAuthenticationException in production? Conduktor Console gives you real-time visibility into clients, consumer groups, and broker health. Browse every Kafka exception or protocol error code.

Kafka Exception SaslAuthenticationException

Common Causes

Solutions

Example Stack Trace

Diagnostic Commands

Related

Kafka Exception `SaslAuthenticationException`