This error indicates that the Kerberos krb5 configuration sets an incorrect 'kdc' value in the krb5 configuration file, or the kdc server machine is unreachable from client machine (due to firewall or a network problem).
First, check the 'kdc' value set in the krb5 configuration file on the client machine. For example..
[realms]
KAFKA.SECURE = {
kdc = ec2-174-129-102-157.compute-1.amazonaws.com
admin_server = ec2-174-129-102-157.compute-1.amazonaws.com
}
...
[domain_realm]
.amazonaws.com = KAFKA.SECURE
amazonaws.com = KAFKA.SECURE
Check with your Kerberos administrator to confirm if the server name listed in the krb5 configuration is correct for your system.
In this case, the machine that runs the BE application needs to be able to communicate with the kdc and admin servers running on 'ec2-174-129-102-157.compute-1.amazonaws.com'. By default, Kerberos uses tcp/udp port 88. To check connectivity to the kdc, use telnet (linux/mac) or portqry (Windows) from a command prompt. For example:
$ telnet ec2-174-129-102-157.compute-1.amazonaws.com 88
> portqry -n ec2-174-129-102-157.compute-1.amazonaws.com -e 88 -p both
To assist in troubleshooting, set the sun.security.krb5.debug system property to 'true'. You may set this in your project's CDD file under Cluster > Properties:
sun.security.krb5.debug = true
For detailed guidance on configuring the Kafka adapters for Kerberos authentication, refer to the Knowledge article entitled "How to enable Kerberos SASL_SSL authentication for the TIBCO BusinessEvents Kafka Channel".