# org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed due to invalid credentials with SASL mechanism SCRAM-SHA-256 - **ID:** `kafka/sasl-authentication-failed` - **Domain:** kafka - **Category:** auth_error - **Verification:** ai_generated - **Fix Rate:** 80% ## Root Cause Kafka client provided incorrect username or password for SASL/SCRAM authentication, or the credential is not stored in ZooKeeper. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | Kafka 3.6.0 | active | — | — | | Kafka 3.7.0 | active | — | — | ## Workarounds 1. **Verify credentials with `kafka-configs.sh --bootstrap-server localhost:9092 --entity-type users --entity-name myuser --describe` to ensure the user exists and has correct SCRAM credentials.** (85% success) ``` Verify credentials with `kafka-configs.sh --bootstrap-server localhost:9092 --entity-type users --entity-name myuser --describe` to ensure the user exists and has correct SCRAM credentials. ``` 2. **Recreate the SCRAM credential: `kafka-configs.sh --bootstrap-server localhost:9092 --entity-type users --entity-name myuser --alter --add-config 'SCRAM-SHA-256=[password=newpass]'` and update client JAAS file accordingly.** (90% success) ``` Recreate the SCRAM credential: `kafka-configs.sh --bootstrap-server localhost:9092 --entity-type users --entity-name myuser --alter --add-config 'SCRAM-SHA-256=[password=newpass]'` and update client JAAS file accordingly. ``` 3. **Example client JAAS config: `KafkaClient { org.apache.kafka.common.security.scram.ScramLoginModule required username="myuser" password="newpass"; };`** (88% success) ``` Example client JAAS config: `KafkaClient { org.apache.kafka.common.security.scram.ScramLoginModule required username="myuser" password="newpass"; };` ``` ## Dead Ends - **** — The client still uses the old password, causing repeated authentication failures. (90% fail) - **** — It is a security risk and not a fix; it also requires broker reconfiguration. (50% fail)