When a user tries to login on the NetScaler Gateway login page using his credentials, and the login doesn't succeed for some reason, the NetScaler would display the reason for the login failure to the user. However, in some environments, it may not be desirable to display the exact reason of the authentication failure for security purpose.

For example, if a user logs into the NetScaler Gateway with LDAP credentials and if the LDAP user is disabled on the LDAP server, the NetScaler will throw the error message "Your account is disabled" on the login page (even if you use a wrong password). This may not be desirable as this would confirm to an attacker that it is a valid LDAP user (even if you use a wrong password). One may want to have a more generic error message like "authentication failed" or "wrong username or password" in such cases. Check below:

LDAP User account disabled :



 

Login Error Message:

Instructions

There is no configuration option available to change the error message. However, you can achieve this by editing the en.xml file for the theme you are using.

The default  line is something like this.

<String id="errorMessageLabel4011">Your account is disabled.</String>

Here are the available themes:

You can edit these lines in the file to change the error messages to one of your choice.

To get more info about the AAA error codes on NetScaler, go through the below link:

https://support.citrix.com/article/CTX138663