Kafka Channel fatal error caused by KrbException: Identifier doesn't match expected value (906)

Kafka Channel fatal error caused by KrbException: Identifier doesn't match expected value (906)

book

Article ID: KB0072899

calendar_today

Updated On:

Products Versions
TIBCO BusinessEvents Enterprise Edition 6.1 and later

Description

When a BE application using the Kafka Channel is started, a fatal error occurs:
 

2021 Oct 28 14:17:14.030 GMT -04:00 kafka.tibco.com FATAL [main] -
[container.standalone] Failed to construct kafka consumer
...
Caused by: org.apache.kafka.common.KafkaException:
javax.security.auth.login.LoginException: null (68)
...
Caused by: javax.security.auth.login.LoginException: null (68)
...
Caused by: KrbException: null (68)
...
Caused by: KrbException: Identifier doesn't match expected value (906)

Our Kafka broker requires that clients authenticate with Kerberos. What does this error mean and how can it be avoided?
 

Environment

All Supported Platforms

Resolution

This error indicates that the client krb5 configuration file (i.e. krb5.conf or krb5.ini) is not being referenced by the TIBCO BusinessEvents application, or it does not define the Kerberos realm name in which the Kafka service runs.

First, make sure that the application is referencing the krb5 configuration file. This can be done by setting the Java system property 'java.security.krb5.conf'. For example, in your project's CDD file under Cluster > Properties:

 
java.security.krb5.conf = C:/configs/krb5.conf

In addition, confirm that your krb5 configuration file includes the definition for the Kerberos realm in which Kafka is run. For example:
 
[realms]
KAFKA.SECURE = {
  kdc = ec2-174-129-102-157.compute-1.amazonaws.com
  admin_server = ec2-174-129-102-157.compute-1.amazonaws.com
}
...
[domain_realm]
  .amazonaws.com = KAFKA.SECURE
  amazonaws.com = KAFKA.SECURE

Confirm that the client machine (i.e. the machine running your BE application) can reach the kdc and admin servers noted in the krb5 configuration file. The default communication port for Kerberos is tcp/udp port 88. Check with your Kerberos administrator to confirm.

To assist in troubleshooting, set the 'sun.security.krb5.debug' system property to 'true'. Again, you may do this in your project's CDD file:

 
sun.security.krb5.debug = true

For detailed guidance on configuring the Kafka adapters for Kerberos authentication, refer to the Knowledge article entitled "How to enable Kerberos SASL_SSL authentication for the TIBCO BusinessEvents Kafka Channel".
 

Issue/Introduction

Provides some details and background on the fatal error caused by "Identifier doesn't match expected value (906).