# org.apache.kafka.common.errors.UnsupportedSaslMechanismException: The broker does not support the SASL mechanism PLAIN

- **ID:** `kafka/unsupported-sasl-mechanism`
- **Domain:** kafka
- **Category:** auth_error
- **Verification:** ai_generated
- **Fix Rate:** 90%

## Root Cause

The client configured a SASL mechanism (e.g., PLAIN) that is not enabled in the broker's sasl.enabled.mechanisms configuration.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Kafka 2.8.0 | active | — | — |
| Kafka 3.0.0 | active | — | — |
| Kafka 3.4.0 | active | — | — |
| Kafka 3.6.0 | active | — | — |

## Workarounds

1. **Enable the required SASL mechanism in the broker's server.properties:

sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256

Then restart the broker. Ensure the JAAS file also configures the mechanism's login module:

KafkaServer {
    org.apache.kafka.common.security.plain.PlainLoginModule required
    username="admin"
    password="admin-secret"
    user_admin="admin-secret"
    user_alice="alice-secret";
};** (95% success)
   ```
   Enable the required SASL mechanism in the broker's server.properties:

sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256

Then restart the broker. Ensure the JAAS file also configures the mechanism's login module:

KafkaServer {
    org.apache.kafka.common.security.plain.PlainLoginModule required
    username="admin"
    password="admin-secret"
    user_admin="admin-secret"
    user_alice="alice-secret";
};
   ```
2. **On the client side, switch to a mechanism that the broker already supports. Check the broker logs for supported mechanisms or query via kafka-configs:

kafka-configs --bootstrap-server localhost:9092 --entity-type brokers --entity-name 0 --describe --all | grep sasl.enabled.mechanisms** (85% success)
   ```
   On the client side, switch to a mechanism that the broker already supports. Check the broker logs for supported mechanisms or query via kafka-configs:

kafka-configs --bootstrap-server localhost:9092 --entity-type brokers --entity-name 0 --describe --all | grep sasl.enabled.mechanisms
   ```

## Dead Ends

- **Change the client's SASL mechanism to SCRAM-SHA-256 without enabling it on the broker** — If SCRAM-SHA-256 is also not in sasl.enabled.mechanisms, the same error occurs; the broker must have the mechanism enabled. (90% fail)
- **Restart the broker after modifying JAAS config only** — JAAS config provides credentials but does not enable the mechanism; sasl.enabled.mechanisms must be set in server.properties. (95% fail)