Use Kerberos authentication

Learn how and when to configure Kerberos authentication.

LDAP authentication is generally easier to configure for remote clients, because it does not require Kerberos libraries or clients to be installed and the remote clients do not need direct connectivity to your Kerberos or LDAP server.

In some situations, though, Kerberos authentication may be required and/or preferred. In this section, you run the same kafka-console-consumer command you used for LDAP authentication, but this time using Kerberos authentication to demonstrate the required configuration.

When using Kerberos, you can use two different sources for the authentication credentials: a ticket cache or a keytab. The ticket cache is the place where the Kerberos ticket for a user is stored after the user authenticates successfully. You can use the ticket cache when the user has been already authenticated using a username and password. The keytab is a special and sensitive file that contains the user credentials. Keytabs do not require that the user authenticates previously.

In this example, you create a new configuration file called, which is similar to the file that you used in the previous example but with Kerberos-specific parameters. You also need an additional configuration file, which you call either jaas-cache.conf or jaas-keytab.conf, depending on the credentials source you use. This JAAS configuration file is used to communicate the authentication credentials source (ticket cache or keytab) to the Kafka client.

For more details on how to enable Kerberos authentication for Kafka, see Enable Kerberos authentication for Kafka clients.