Kafka brokers SCRAM-SHA-256 with kraft mode

Hi,
I have problem with Kafka broker in kraft mode. I installed Confluent platform with ansible script in version 7.5.2. And I need using scram-ssh-256. Scram-ssh-256 is not supported in ansible with kraft mode.
Can you help me with configuraion my kafka broker config is in attachment. I have problem that I cant login to kafka broker with using scram-ssh-256. But plain auth is OK.
I got error:

Authentication failed during authentication due to invalid credentials with SASL mechanism SCRAM-SHA-256.

My deploy steps:

  1. install over ansible with plain auth.
  2. reconfiguration broker (add scram support in server.properties)
  3. restart broker

Please can you help me?

kafka server.properties

# Maintained by Ansible
advertised.listeners=INTERNAL://confluent-customer-kafka1.dev.local.sk:9092,BROKER://confluent-customer-kafka1.dev.local.sk:9091,SASL_SSL://confluent-customer-kafka1.dev.local.sk:9090
broker.id=1
confluent.ansible.managed=true
confluent.balancer.topic.replication.factor=1
confluent.basic.auth.credentials.source=USER_INFO
confluent.basic.auth.user.info=admin:admin-secret
confluent.cluster.link.metadata.topic.replication.factor=1
confluent.http.server.advertised.listeners=https://confluent-customer-kafka1.dev.local.sk:8090
confluent.http.server.listeners=https://0.0.0.0:8090
confluent.http.server.ssl.key.password=confluentkeystorestorepass
confluent.http.server.ssl.keystore.location=/var/ssl/private/kafka_broker.keystore.jks
confluent.http.server.ssl.keystore.password=confluentkeystorestorepass
confluent.http.server.ssl.truststore.location=/var/ssl/private/kafka_broker.truststore.jks
confluent.http.server.ssl.truststore.password=confluenttruststorepass
confluent.license=secret_key
confluent.license.topic=_confluent-command
confluent.license.topic.replication.factor=1
confluent.metadata.topic.replication.factor=1
confluent.metrics.reporter.bootstrap.servers=confluent-customer-kafka1.dev.local.sk:9091
confluent.metrics.reporter.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret";
confluent.metrics.reporter.sasl.mechanism=PLAIN
confluent.metrics.reporter.security.protocol=SASL_SSL
confluent.metrics.reporter.ssl.truststore.location=/var/ssl/private/kafka_broker.truststore.jks
confluent.metrics.reporter.ssl.truststore.password=confluenttruststorepass
confluent.metrics.reporter.topic.replicas=1
confluent.schema.registry.url=http://confluent-customer-kafka2.dev.local.sk:8081,http://confluent-customer-kafka3.dev.local.sk:8081
confluent.security.event.logger.exporter.kafka.topic.replicas=1
confluent.support.customer.id=anonymous
confluent.support.metrics.enable=true
controller.listener.names=CONTROLLER
controller.quorum.voters=9991@confluent-customer-kafka1.dev.local.sk:9093
group.initial.rebalance.delay.ms=3000
inter.broker.listener.name=BROKER
kafka.rest.bootstrap.servers=confluent-customer-kafka1.dev.local.sk:9092
kafka.rest.client.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret";
kafka.rest.client.sasl.mechanism=PLAIN
kafka.rest.client.security.protocol=SASL_SSL
kafka.rest.client.ssl.truststore.location=/var/ssl/private/kafka_broker.truststore.jks
kafka.rest.client.ssl.truststore.password=confluenttruststorepass
kafka.rest.enable=true
listener.name.broker.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret"  user_admin="admin-secret" user_client="client-secret" user_schema-registry="schema_registry-secret" user_control-center="control_center-secret" user_user1="my-secret" user_user2="my-secret" user_user3="my-secret";
listener.name.broker.sasl.enabled.mechanisms=PLAIN
listener.name.broker.ssl.key.password=confluentkeystorestorepass
listener.name.broker.ssl.keystore.location=/var/ssl/private/kafka_broker.keystore.jks
listener.name.broker.ssl.keystore.password=confluentkeystorestorepass
listener.name.broker.ssl.truststore.location=/var/ssl/private/kafka_broker.truststore.jks
listener.name.broker.ssl.truststore.password=confluenttruststorepass
listener.name.controller.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret"  user_admin="admin-secret" user_client="client-secret" user_schema-registry="schema_registry-secret" user_control-center="control_center-secret" user_user1="my-secret" user_user2="my-secret" user_user3="my-secret";
listener.name.controller.sasl.enabled.mechanisms=PLAIN
listener.name.internal.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret"  user_admin="admin-secret" user_client="client-secret" user_schema-registry="schema_registry-secret" user_control-center="control_center-secret" user_user1="my-secret" user_user2="my-secret" user_user3="my-secret";
listener.name.internal.sasl.enabled.mechanisms=PLAIN
listener.name.internal.ssl.key.password=confluentkeystorestorepass
listener.name.internal.ssl.keystore.location=/var/ssl/private/kafka_broker.keystore.jks
listener.name.internal.ssl.keystore.password=confluentkeystorestorepass
listener.name.internal.ssl.truststore.location=/var/ssl/private/kafka_broker.truststore.jks
listener.name.internal.ssl.truststore.password=confluenttruststorepass
listener.security.protocol.map=CONTROLLER:SASL_PLAINTEXT,INTERNAL:SASL_SSL,BROKER:SASL_SSL,SASL_SSL:SASL_SSL
listeners=INTERNAL://:9092,BROKER://:9091,SASL_SSL://:9090
log.dirs=/var/lib/kafka/data
log.retention.check.interval.ms=300000
log.retention.hours=168
log.segment.bytes=1073741824
metric.reporters=io.confluent.metrics.reporter.ConfluentMetricsReporter
num.io.threads=16
num.network.threads=8
num.partitions=1
num.recovery.threads.per.data.dir=2
offsets.topic.replication.factor=1
process.roles=broker
sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256
sasl.mechanism.controller.protocol=PLAIN
sasl.mechanism.inter.broker.protocol=PLAIN
security.inter.sasl_ssl.protocol=SASL_SSL
socket.receive.buffer.bytes=102400
socket.request.max.bytes=104857600
socket.send.buffer.bytes=102400
ssl.key.password=confluentkeystorestorepass
ssl.keystore.location=/var/ssl/private/kafka_broker.keystore.jks
ssl.keystore.password=confluentkeystorestorepass
ssl.truststore.location=/var/ssl/private/kafka_broker.truststore.jks
ssl.truststore.password=confluenttruststorepass
transaction.state.log.min.isr=1
transaction.state.log.replication.factor=1
listener.name.sasl_ssl.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="admin-secret";
listener.name.sasl_ssl.sasl.enabled.mechanisms=SCRAM-SHA-256
listener.name.sasl_ssl.ssl.key.password=confluentkeystorestorepass
listener.name.sasl_ssl.ssl.keystore.location=/var/ssl/private/kafka_broker.keystore.jks
listener.name.sasl_ssl.ssl.keystore.password=confluentkeystorestorepass
listener.name.sasl_ssl.ssl.truststore.location=/var/ssl/private/kafka_broker.truststore.jks
listener.name.sasl_ssl.ssl.truststore.password=confluenttruststorepass

kafka controller (kraft) server.properties

# Maintained by Ansible
confluent.ansible.managed=true
confluent.balancer.topic.replication.factor=1
confluent.license.topic=_confluent-command
confluent.license.topic.replication.factor=1
confluent.metadata.topic.replication.factor=1
confluent.metrics.reporter.bootstrap.servers=confluent-customer-kafka1.dev.local.sk:9091
confluent.metrics.reporter.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret";
confluent.metrics.reporter.sasl.mechanism=PLAIN
confluent.metrics.reporter.security.protocol=SASL_SSL
confluent.metrics.reporter.ssl.truststore.location=/var/ssl/private/kafka_controller.truststore.jks
confluent.metrics.reporter.ssl.truststore.password=confluenttruststorepass
confluent.metrics.reporter.topic.replicas=1
confluent.schema.registry.url=http://confluent-customer-kafka2.dev.local.sk:8081,http://confluent-customer-kafka3.dev.local.sk:8081
confluent.security.event.logger.exporter.kafka.topic.replicas=1
confluent.support.customer.id=anonymous
confluent.support.metrics.enable=true
controller.listener.names=CONTROLLER
controller.quorum.voters=9991@confluent-customer-kafka1.dev.local.sk:9093
group.initial.rebalance.delay.ms=3000
inter.broker.listener.name=BROKER
kafka.rest.enable=false
listener.name.controller.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret"  user_admin="admin-secret" user_client="client-secret" user_schema-registry="schema_registry-secret" user_control-center="control_center-secret" user_user1="my-secret" user_user2="my-secret" user_user3="my-secret";
listener.name.controller.sasl.enabled.mechanisms=PLAIN
listener.security.protocol.map=CONTROLLER:SASL_PLAINTEXT,BROKER:SASL_SSL
listeners=CONTROLLER://:9093
log.dirs=/var/lib/controller/data
log.retention.check.interval.ms=300000
log.retention.hours=168
log.segment.bytes=1073741824
metric.reporters=io.confluent.metrics.reporter.ConfluentMetricsReporter
node.id=9991
num.io.threads=16
num.network.threads=8
num.partitions=1
num.recovery.threads.per.data.dir=2
offsets.topic.replication.factor=1
process.roles=controller
sasl.enabled.mechanisms=PLAIN
sasl.mechanism.controller.protocol=PLAIN
sasl.mechanism.inter.broker.protocol=PLAIN
socket.receive.buffer.bytes=102400
socket.request.max.bytes=104857600
socket.send.buffer.bytes=102400
transaction.state.log.min.isr=1
transaction.state.log.replication.factor=1