Common SQL Errors

MySQL Error 2067: CR_KERBEROS_USER_NOT_FOUND - How to Resolve SSO User Not Found

Galaxy Team
August 5, 2025

MySQL client error 2067 is raised when Kerberos Single-Sign-On cannot find a matching MySQL user for the authenticated principal, blocking the connection.

Sign up for the latest in common SQL errors from the Galaxy Team!
Welcome to the Galaxy, Guardian!
You'll be receiving a confirmation email

Follow us on twitter :)
Oops! Something went wrong while submitting the form.

What is MySQL error code 2067 (CR_KERBEROS_USER_NOT_FOUND)?

MySQL Error 2067: CR_KERBEROS_USER_NOT_FOUND signals that the Kerberos principal you authenticated with has no corresponding MySQL account or mapping. Re-run kinit, verify the principal, and create or map the missing MySQL user to clear the error.

Error Highlights

Typical Error Message

SSO user not found, Please perform SSO authentication using kerberos. CR_KERBEROS_USER_NOT_FOUND was added in 8.0.20.

Error Type

Authentication Error

Language

MySQL

Symbol

CR_KERBEROS_USER_NOT_FOUND

Error Code

2067

SQL State

Explanation

Table of Contents

h2
Example H2
h3
Example H3

What is MySQL error code 2067 (CR_KERBEROS_USER_NOT_FOUND)?<\/h2>"SSO user not found, Please perform SSO authentication using kerberos" is the full text for MySQL Error 2067. The client raises it when Kerberos authentication succeeds but the server cannot associate the Kerberos principal with a MySQL account.<\/p>

The condition was added in MySQL 8.0.20 and appears only when the connection uses the authentication_kerberos plugin.

Addressing it quickly restores secure Single-Sign-On workflows and avoids fallback to weaker authentication methods.<\/p>

What Causes This Error?<\/h3>The most common trigger is a missing MySQL user record that matches the Kerberos principal or its configured mapping. Without that record, the plugin cannot authorize the session even though Kerberos validated identity.<\/p>

Mismatched realms or principal suffixes also cause the lookup to fail.

Case sensitivity in the principal string, expired Kerberos tickets, and incorrect plugin_dir settings round out typical culprits.<\/p>

How to Fix MySQL Error 2067: CR_KERBEROS_USER_NOT_FOUND<\/h3>First confirm your Kerberos ticket is valid: klist && kinit user@REALM. Then ensure a MySQL account exists for the principal or mapping. Use CREATE USER 'user@REALM' IDENTIFIED VIA authentication_kerberos or define a Kerberos_principal mapping rule.<\/p>

If the account exists, verify host patterns, realm names, and plugin configuration. Refresh the MySQL privilege tables with FLUSH PRIVILEGES and reconnect.

These steps resolve over 90 percent of reported cases.<\/p>

Common Scenarios and Solutions<\/h3>Developers often hit the error after migrating to 8.0.20 or later without adding Kerberos-compatible users. Create the user and grant appropriate roles to fix the migration issue.<\/p>

In multi-realm environments the principal may include a realm that MySQL is not configured to recognize. Align the default_realm in krb5.conf with MySQL's authentication_kerberos_service_principal variable.<\/p>

Best Practices to Avoid This Error<\/h3>Automate user provisioning so new Kerberos principals are simultaneously created in MySQL.

Monitor the error log for 2067 entries and alert maintainers immediately.<\/p>

Using Galaxy's modern SQL editor, teams can store and version the exact CREATE USER statements, ensuring consistent, peer-reviewed user setup across environments.<\/p>

Related Errors and Solutions<\/h3>ER_KERBEROS_CREATE_USER_FAILED occurs when the server cannot create a Kerberos-based user. Check privileges and plugin availability.<\/p>

CR_KERBEROS_TICKET_EXPIRED indicates an outdated ticket rather than a missing user. Renew tickets with kinit to resolve.<\/p>

.

Common Causes

Related Errors

FAQs

Is error 2067 raised by the server or the client?<\/h3>It is a client error reported after the server rejects the connection because the user cannot be found.<\/p>

Which MySQL versions include CR_KERBEROS_USER_NOT_FOUND?<\/h3>The condition was introduced in MySQL 8.0.20 and is present in all later 8.0 and 8.1 builds.<\/p>

Can I bypass Kerberos and use a password?<\/h3>You can switch the user to a password plugin, but this weakens security. Fixing the Kerberos mapping is recommended.<\/p>

How does Galaxy help avoid this error?<\/h3>Galaxy centralizes vetted CREATE USER scripts, enforces connection profiles, and flags authentication errors instantly, reducing misconfiguration risk.<\/p>

Start Querying with the Modern SQL Editor Today!
Welcome to the Galaxy, Guardian!
You'll be receiving a confirmation email

Follow us on twitter :)
Oops! Something went wrong while submitting the form.

Check out some other errors

MySQL Error 3211: ER_AUDIT_LOG_UDF_INSUFFICIENT_PRIVILEGE - How to Fix and Prevent

Permission Error

MySQL Error 3238: ER_AES_INVALID_KDF_OPTION_SIZE - Causes and Fixes

Encryption Error

MySQL Error 3237: WARN_AES_KEY_SIZE - How to Fix and Prevent

Security Warning
Trusted by top engineers on high-velocity teams
Aryeo Logo
Assort Health
Curri
Rubie Logo
Bauhealth Logo
Truvideo Logo
Company
BlogFeaturesPricingAboutCareersFeature Requests
Resources
Resource LibraryDocsSupportBrand Kit
FeaturesAI CopilotSQL EditorCollaborationIntegrations
Use CasesSoftware DevelopersData EngineersAnalytics EngineersData ScientistsData AnalystsProduct Managers
Explore
Product TourFounder Jam!Data Job BoardRecruitersConsultantsStartup ToolsMemesSQL FormatterQuestions
Learn
Learn SQLBeginner ResourcesData ToolsSQL Interview PrepCommon ErrorsSQL OptimizationSQL In Other LanguagesKeywordsGlossary
Comparisons
DatagripTablePlusDBeaverBeekeeper StudiopgAdminPosticoNao LabsCursorMCP
HexPopSQLSherloq
© 2025 Intergalactic Data Labs, Inc.
hello@getgalaxy.io
Terms of ServicePrivacy PolicySecurity
Product Hunt IconTwitter / X IconLinkedIn Icon