# SASL认证异常：使用SCRAM-SHA-256机制时因无效凭据认证失败

- **ID:** `kafka/sasl-authentication-failed`
- **领域:** kafka
- **类别:** auth_error
- **验证级别:** ai_generated
- **修复率:** 80%

## 根因

Kafka客户端提供了错误的用户名或密码进行SASL/SCRAM认证，或者凭据未存储在ZooKeeper中。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Kafka 3.6.0 | active | — | — |
| Kafka 3.7.0 | active | — | — |

## 解决方案

1. ```
   Verify credentials with `kafka-configs.sh --bootstrap-server localhost:9092 --entity-type users --entity-name myuser --describe` to ensure the user exists and has correct SCRAM credentials.
   ```
2. ```
   Recreate the SCRAM credential: `kafka-configs.sh --bootstrap-server localhost:9092 --entity-type users --entity-name myuser --alter --add-config 'SCRAM-SHA-256=[password=newpass]'` and update client JAAS file accordingly.
   ```
3. ```
   Example client JAAS config: `KafkaClient { org.apache.kafka.common.security.scram.ScramLoginModule required username="myuser" password="newpass"; };`
   ```

## 无效尝试

- **** — The client still uses the old password, causing repeated authentication failures. (90% 失败率)
- **** — It is a security risk and not a fix; it also requires broker reconfiguration. (50% 失败率)