Skip to main content

I have been trying to create a new Scan with "Non-Google account" authentication for a while and always fails with a FAILED_TO_AUTHENTICATE_TO_TARGET error code.

According to the documentation, the possible issues could be:

  • Using non-standard HTML form fields, for example, not using a password type.
  • Using a complicated login form, for example, a form that has more than a single username and password field.
  • Not saving an authentication cookie on successful login.
  • In some situations, the scanner is denied by counter-measures that are meant to protect against bots, DDOS, and other attacks.

I can confirm that a simple form is being used, it has no more that a single username and password field, a cookie is created after a successful login and the scanner is not denied access in any form.

Moreover, checking the application logs I can confirm that the Web Security Scan is able to login and a session cookie is created, but I'm still receiving a FAILED_TO_AUTHENTICATE_TO_TARGET error code and the Scan is not created.

Any help with the subject would be deeply appreciated.

Hi @Ricka, have you had a chance to forward your findings to GCP Support yet?


In this scenario, do the two fields in the form have names like username and password or are they named/typed as something else entirely?   If they are typed as something else, have you tried modifying them to be the above two values and trying again?

To add to Vasken, have you tried to login using a different login?


Web scanner only works for App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications not BEHIND firewalls

Hi, thanks for the feedback, I'm waiting on Support as well.

The application is not running behind a firewall, and currently accessed through a load balancer.

The form has a "password" name, type and id and a "username" name and id, typed as text.

 

At this point support route could be possibly the best way forward. If it's possible, could you please update the post once you have some more details from support for any potential solution?


There are a few other things you can check in situations like this:


- You can try to change the 'User Agent' used by the Scanner, in case there are some issues between the User Agent used by the scanner and what the Application expects


- If the scan does not fail with the auth issue immediately then check for any short session timeouts 


- Use Developers tools in your browser and inspect the traffic between the application and your browser manually to see if there's anything unexpected (eg special redirects) happening; check if the cookie delivered to your browser have all the right flags enabled.


- Check for any Exclusion URL's defined for the scanner and remove any for testing which may relate to the traffic flow identified using the Developers Tools from the step before


- If possible enable some more verbose logs on the Application side and see if there's any specific error received on the App side after the initial successful authentication

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.