Kafka Kerberos authentication doesn't work with Active Directory

[faec]

• Beat: All (Kafka output), Filebeat (Kafka input)
• Version: 7.x - current 8.x

Kerberos authentication for the Kafka input and output (currently in beta) has known issues with Microsoft Active Directory (a common Kerberos implementation). This usually results in the error "Client has run out of brokers to talk to" (Sarama, our Kafka library, doesn't currently surface more detailed errors during Kerberos authentication, and this is its generic fallback error which can indicate a wide variety of protocol and authentication failures). While we have seen the error in many deployments we haven't reproduced it on our own systems, so we can't yet trace the underlying cause.

In most cases where this problem is observed, the error arises immediately when authentication to Kafka is attempted. In rarer cases, the initial authentication seems to succeed but then arises while connecting to other nodes in the Kafka cluster. We don't have confirmation of any deployments that have successfully ingested to Kafka while authenticating via Active Directory.

Currently we do not know any workarounds.

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[botelastic]

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

[cmacknz]

Still a problem.

[bbezanson]

Here are my observations on the issue:

• Still, an issue we are facing when we want to go from Filebeat to Kafka
• The workaround is to send Filebeat to Logstash and then use the Logstash Kafka Output Plugin https://www.elastic.co/guide/en/logstash/current/plugins-outputs-kafka.html, which supports Kerberos, to send to Kafka.
• Since both Filebeat and Logstash are Elastic products, one would hope the teams would compare implementations and have them use the same code libraries for Kerberos that works everywhere.

[AndrewMcQuerry]

Adding additional weight behind this issue.

We operate a production environment of 1,500+ Filebeat agents that have historically sent data directly to Kafka. As we are now working to move from SSL (no auth) to SASL/Kerberos, it is astonishing that Filebeat does not fully support this and that there's a known issue open for more than 2 years with little-to-no progress.

Anyone from Elastic have an update?

[nimarezainia]

@AndrewMcQuerry we appreciate the importance of this feature for your environment and others that we have come across. This is currently high priority on our roadmap list to attend to and we will communicate the release when development gets started. Thanks for your patience.