Kafka Channel fatal error caused by KrbException: Identifier doesn't match expected value (906)
Article ID: KB0072899
Updated On:
| Products | Versions |
|---|---|
| TIBCO BusinessEvents Enterprise Edition | 6.1 and later |
Description
When a BE application using the Kafka Channel is started, a fatal error occurs:
2021 Oct 28 14:17:14.030 GMT -04:00 kafka.tibco.com FATAL [main] -
[container.standalone] Failed to construct kafka consumer
...
Caused by: org.apache.kafka.common.KafkaException:
javax.security.auth.login.LoginException: null (68)
...
Caused by: javax.security.auth.login.LoginException: null (68)
...
Caused by: KrbException: null (68)
...
Caused by: KrbException: Identifier doesn't match expected value (906)
Our Kafka broker requires that clients authenticate with Kerberos. What does this error mean and how can it be avoided?
Environment
All Supported Platforms
Resolution
This error indicates that the client krb5 configuration file (i.e. krb5.conf or krb5.ini) is not being referenced by the TIBCO BusinessEvents application, or it does not define the Kerberos realm name in which the Kafka service runs.
First, make sure that the application is referencing the krb5 configuration file. This can be done by setting the Java system property 'java.security.krb5.conf'. For example, in your project's CDD file under Cluster > Properties:
In addition, confirm that your krb5 configuration file includes the definition for the Kerberos realm in which Kafka is run. For example:
Confirm that the client machine (i.e. the machine running your BE application) can reach the kdc and admin servers noted in the krb5 configuration file. The default communication port for Kerberos is tcp/udp port 88. Check with your Kerberos administrator to confirm.
To assist in troubleshooting, set the 'sun.security.krb5.debug' system property to 'true'. Again, you may do this in your project's CDD file:
For detailed guidance on configuring the Kafka adapters for Kerberos authentication, refer to the Knowledge article entitled "How to enable Kerberos SASL_SSL authentication for the TIBCO BusinessEvents Kafka Channel".
First, make sure that the application is referencing the krb5 configuration file. This can be done by setting the Java system property 'java.security.krb5.conf'. For example, in your project's CDD file under Cluster > Properties:
java.security.krb5.conf = C:/configs/krb5.conf
In addition, confirm that your krb5 configuration file includes the definition for the Kerberos realm in which Kafka is run. For example:
[realms]
KAFKA.SECURE = {
kdc = ec2-174-129-102-157.compute-1.amazonaws.com
admin_server = ec2-174-129-102-157.compute-1.amazonaws.com
}
...
[domain_realm]
.amazonaws.com = KAFKA.SECURE
amazonaws.com = KAFKA.SECURE
Confirm that the client machine (i.e. the machine running your BE application) can reach the kdc and admin servers noted in the krb5 configuration file. The default communication port for Kerberos is tcp/udp port 88. Check with your Kerberos administrator to confirm.
To assist in troubleshooting, set the 'sun.security.krb5.debug' system property to 'true'. Again, you may do this in your project's CDD file:
sun.security.krb5.debug = true
For detailed guidance on configuring the Kafka adapters for Kerberos authentication, refer to the Knowledge article entitled "How to enable Kerberos SASL_SSL authentication for the TIBCO BusinessEvents Kafka Channel".
Issue/Introduction
Provides some details and background on the fatal error caused by "Identifier doesn't match expected value (906).
Feedback
Yes
No
Powered by
