Memcached Binary Protocol SASL Auth Failure - Fix

Introduction Memcached supports SASL authentication over the binary protocol to restrict access to authorized users. When SASL authentication fails—due to misconfigured credentials, missing SASL libraries, or protocol version mismatch—clients cannot connect to the Memcached server, leaving the cache inaccessible.

Symptoms - `AUTHENTICATION FAILURE` in Memcached logs - Client reports `SASL authentication failed` or `AUTH error` - Connection established but all commands return `CLIENT_ERROR authentication required` - `echo "stats" | nc localhost 11211` works (text protocol) but binary protocol fails - Application startup fails when connecting to authenticated Memcached

Common Causes - SASL not enabled on the Memcached server - SASL user not created in the SASL database - Client using text protocol instead of binary protocol - SASL library (cyrus-sasl) not installed on the server - Password mismatch between server configuration and client

Step-by-Step Fix 1. **Verify SASL is enabled on the server": ```bash # Check if memcached was compiled with SASL support memcached -h | grep -i sasl # Should show: -S, --enable-sasl Turn on Sasl authentication

# Start with SASL enabled memcached -S -o binary ```

1.**Create SASL user credentials":
2.```bash
3.# Install SASL utilities
4.sudo apt install sasl2-bin

# Create the SASL database sudo saslpasswd2 -a memcached -c memcache_user # Enter password when prompted

# Verify the user exists sasldblistusers2 # Should show: memcache_user@hostname: userPassword ```

1.**Test authentication with memcstat":
2.```bash
3.# Using libmemcached tools
4.memcstat --servers=localhost:11211 --username=memcache_user --password=secret

# Or with telnet (should fail without auth) echo "stats" | nc localhost 11211 # Should return: CLIENT_ERROR authentication required ```

1.**Configure the client for SASL authentication":
2.```python
3.# Python with pymemcache (binary protocol with SASL)
4.from pymemcache.client import Client

client = Client( ('localhost', 11211), username='memcache_user', password='secret' ) client.set('key', 'value') ```

1.**For Java Spymemcached":
2.```java
3.import net.spy.memcached.*;

AuthDescriptor ad = new AuthDescriptor( new String[]{"PLAIN"}, new PlainCallbackHandler("memcache_user", "secret") );

MemcachedClient mc = new MemcachedClient( new ConnectionFactoryBuilder() .setProtocol(ConnectionFactoryBuilder.Protocol.BINARY) .setAuthDescriptor(ad) .build(), AddrUtil.getAddresses("localhost:11211") ); ```

Prevention - Test SASL authentication after every Memcached upgrade - Store credentials securely using a secrets manager - Use the binary protocol exclusively when SASL is enabled - Monitor authentication failures in Memcached logs - Document the SASL setup procedure for new environments - Use IAM-based or certificate authentication where available - Regularly rotate SASL credentials as part of security audits

Memcached Binary Protocol SASL Authentication Failure

Common Causes - SASL not enabled on the Memcached server - SASL user not created in the SASL database - Client using text protocol instead of binary protocol - SASL library (cyrus-sasl) not installed on the server - Password mismatch between server configuration and client

Step-by-Step Fix 1. **Verify SASL is enabled on the server": ```bash # Check if memcached was compiled with SASL support memcached -h | grep -i sasl # Should show: -S, --enable-sasl Turn on Sasl authentication

Share this guide

More Memcached Troubleshooting Guides

Memcached Stats Counter Overflow Causing Monitoring Inaccuracies

Memcached Item Too Large for Slab Class Causing Storage Failures

Memcached UDP Amplification Attack Mitigation and Defense

Memcached Cluster Node Failure Causing Cache Miss Spike

Memcached LRU Crawler Not Reclaiming Memory from Expired Items

Memcached Eviction Due to Memory Pressure on Hot Keys