Debezium connector failing with `Unexpected Kafka request of type METADATA during SASL handshake` error

[Timothy Dilbert]

We have a Kafka cluster that we're trying to connect Debezium to. We are able to successfully deploy a Producer or Consumer using the following `producer.config`/`consumer.config` (these are temporary passwords - no judgement):

```

security.protocol=SASL_PLAINTEXT sasl.mechanism=SCRAM-SHA-256 sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \ username="user1" \ password="JXtC77mME4";

```

Next, we attempt to create a SQL Server connector in Debezium using the following HTTP payload:

```

{ "name": "sql_connector", "config": { "connector.class": "io.debezium.connector.sqlserver.SqlServerConnector", "database.hostname": "REMOVED.domain.local", "database.port": "1764", "database.user": "REMOVED-user", "database.password": "REMOVED-password", "database.names": "MM", "database.applicationIntent": "ReadOnly", "snapshot.isolation.mode": "snapshot", "snapshot.mode": "initial", "message.key.columns": "MM.DB_TABLE:rowid", "topic.prefix": "mmv2_mssqlami", "table.include.list": "dbo.DB_TABLE", "schema.history.internal.kafka.bootstrap.servers": "kafka.ky9998-003.svc.cluster.local:9092", "schema.history.internal.kafka.topic": "mmv2_amimssql", "schema.history.internal.consumer.security.protocol": "SASL_PLAINTEXT", "schema.history.internal.consumer.sasl.mechanism": "SCRAM-SHA-256", "schema.history.internal.consumer.sasl.jaas.config": "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"user1\" password=\"JXtC77mME4\";", "schema.history.internal.producer.security.protocol": "SASL_PLAINTEXT", "schema.history.internal.producer.sasl.mechanism": "SCRAM-SHA-256", "schema.history.internal.producer.sasl.jaas.config": "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"user1\" password=\"JXtC77mME4\";", "database.encrypt": "false", "slot.name":"test1", "key.converter.schemas.enable":"false", "value.converter.schemas.enable":"false", "key.converter":"org.apache.kafka.connect.json.JsonConverter", "value.converter":"org.apache.kafka.connect.json.JsonConverter", "decimal.handling.mode": "string", "datetime.handling.mode": "string", "tombstones.on.delete": "false", "group.id": "debezium-mssql-group", // ... transforms removed } }

```

But when we do this, the Kafka Brokers stdout shows these messages, repeatedly:
```

[2025-03-11 15:07:27,826] INFO [SocketServer listenerType=BROKER, nodeId=0] Failed authentication with /10.1.204.20 (channelId=10.1.33.143:9095-10.1.204.20:34622-302) (Unexpected Kafka request of type METADATA during SASL handshake.) (org.apache.kafka.common.network.Selector) 

```

Any ideas on what we're doing wrong here?

[Chris Cranford]

Hi Timothy -

Are you sure the broker is configured to support that authentication? Since this comes from the broker, it would seem the client is trying to use something different than the broker.

HTH,
-cc

--
You received this message because you are subscribed to the Google Groups "debezium" group.
To unsubscribe from this group and stop receiving emails from it, send an email to debezium+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/debezium/426131f6-a35c-40c8-880b-02dd881b5514n%40googlegroups.com.

[Timothy Dilbert]

I was able to connect and create messages using a Kafka client configured with the following settings:

```
security.protocol=SASL_PLAINTEXT
sasl.mechanism=SCRAM-SHA-256
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
username="user1" \
password="JXtC77mME4";
```

Below is the `server.properties` file on one of the brokers:
```

# Listeners configuration
listeners=CLIENT://:9092,INTERNAL://:9094,EXTERNAL://:9095,CONTROLLER://:9093
advertised.listeners=CLIENT://kafka-controller-1.kafka-controller-headless.ky9998-003.svc.cluster.local:9092,INTERNAL://kafka-controller-1.kafka-controller-headless.ky9998-003.svc.cluster.local:9094,EXTERNAL://192.168.98.83:31093
listener.security.protocol.map=SASL_PLAINTEXT:SASL_PLAINTEXT,CLIENT:SASL_PLAINTEXT,INTERNAL:SASL_PLAINTEXT,CONTROLLER:SASL_PLAINTEXT,EXTERNAL:SASL_PLAINTEXT
# KRaft process roles
process.roles=controller,broker
node.id=1
controller.listener.names=CONTROLLER
controller.quorum.voters=0...@kafka-controller-0.kafka-controller-headless.ky9998-003.svc.cluster.local:9093,1...@kafka-controller-1.kafka-controller-headless.ky9998-003.svc.cluster.local:9093,2...@kafka-controller-2.kafka-controller-headless.ky9998-003.svc.cluster.local:9093
# Kraft Controller listener SASL settings
sasl.mechanism.controller.protocol=PLAIN
listener.name.controller.sasl.enabled.mechanisms=PLAIN
listener.name.controller.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="controller_user" password="REMOVED" user_controller_user="REMOVED";
# Kafka data logs directory
log.dir=/bitnami/kafka/data
# Kafka application logs directory
logs.dir=/opt/bitnami/kafka/logs

# Common Kafka Configuration

sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256,SCRAM-SHA-512
# Interbroker configuration
inter.broker.listener.name=INTERNAL
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
# Listeners SASL JAAS configuration
listener.name.client.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required user_user1="JXtC77mME4";
listener.name.client.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required;
listener.name.client.scram-sha-512.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required;
listener.name.internal.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="inter_broker_user" password="REMOVED" user_inter_broker_user="REMOVED" user_user1="JXtC77mME4";
listener.name.internal.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="inter_broker_user" password="REMOVED";
listener.name.internal.scram-sha-512.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="inter_broker_user" password="REMOVED";
listener.name.external.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required user_user1="JXtC77mME4";
listener.name.external.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required;
listener.name.external.scram-sha-512.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required;

```

[rkerne...@gmail.com]

Hey, I don't know if this is a misunderstanding from my side, but in the connector config you use:

"schema.history.internal.producer.sasl.jaas.config": "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"user1\" password=\"JXtC77mME4\";"

but below in the broker config and the "Common Kafka Configuration" you are using `org.apache.kafka.common.security.plain.PlainLoginModule`.

Which one is correct?

Best, René