When you log into Windows Administration Console with a valid username and incorrect password, it displays an error indicating the password was wrong. This behavior can be used to create a list of valid users that may result in undesired information disclosure.
Perform the following steps to display a login failure message without revealing whether it was due to invalid username or incorrect password:
Open the iManager C:\Program Files (x86)\Novell\Tomcat\webapps\nps\WEB-INF\config.xml file.
Set the following to true:
<setting> <name><![CDATA[Authenticate.Form.HideLoginFailReason]]></name> <value><![CDATA[false]]></value> </setting>