Product Line
Power Monitoring Expert 9.0

Environment 
Web Application - User Manager - Windows Users/Groups

Issue 1
Unable to add a Windows Group that is part of the Active Directory (AD - domain) using Web Application - User Manager. The following error message is displayed: 

"<p>The windows group search could not be completed due to the following code: <b>500 error</b></p>" 
Resolution 1
As an example, assume that the Windows Group to be added is in the domain:"office.mycompany.net"
The resolution is as follow:

• Add a TopContainer  (string)
  • Key path: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Schneider Electric\Power Monitoring Expert\9.0\Security
  • Name: TopLevelContainer
  • Value: dc=office;dc=mycompany;dc=net   (Note: The value needs to match the domain, in this example "office.mycompany.net")
• Restart the IIS and the  ION Application Modules services

Issue 2
After applying Resolution 1, the Windows Group can be successfully added to PME, however it is not possible to log into Web Application with a user that is a member of that group. 
Fail to log into Web Application when using users from a Windows Group in the Active Directory (AD), previously added to PME User Manager. The following error message is displayed: 

“500-Internal server error. There is a problem with the resource you are looking for, and it cannot be displayed”

Cause
When the user was authenticating it would get groups from the Active directly controller. If it failed, it would try a different way to get the groups. Once this was done and the user was authenticated, PME would requests groups again so that it could see if the Windows user was part of multiple Windows groups in PME, so it can give that user the highest access from all those PME windows groups.
This second request for groups only checked one way.  So the fix is to basically duplicate the same was the first groups request was done (if fails, then try the second way).
If the windows user turned out that their login had supervisor access, the second get groups was ignored as they already had the highest level access so there was no reason to see what other groups the user might be part of.

Resolution 2
The attached hotfix was released to address this issue. 
Please note that this hotfix is built for PME 9.0 - Cumulative Update 2 - ONLY! - Make sure the cumulative update has been installed prior to applying this resolution. 

- Backup all the Framework.Common.dll and Framework.Interfaces.dll from all the locations indicated below
- Stop the ION Application Services
- Place the new Framework.Common.dll and Framework.Interfaces.dll in all the locations indicated below
- Restart ION Application Services

Power Moniorting Expert Directory:

• applications\AlarmConfiguration\bin
• applications\Alarms\bin
• applications\ApplicationFramework\bin
• applications\bin (the Framework.ServiceHost.exe.config does not need to be replaced)
• applications\Dashboards\bin
• applications\Diagrams\bin
• applications\EWS\bin
• applications\HierarchyManager\bin
• applications\ModelingConfig\bin
• applications\RateEditor\bin
• applications\Slideshow\bin
• applications\SystemDataService\bin
• applications\Teams\bin
• applications\Trends\bin
• system\bin
• system\ReportDataService\bin
• system\WebReach\bin
• system\WebServices\bin
• web\bin

WARNING: It was found on one customer that applying the Framework.Common.Dll hotfix broke their Reports Tab giving the error "Server Error in '/reporter' Application".  If this is the case you can either try to revert the \Power Monitoring Expert\web\bin\Framework.Common.dll back to the CU2 version, or you might have to revert all of the Framework.Common.Dlls back to their CU2 version.  Please let Tech Support know if you run into this same issue.

Additional Note:
When a Windows Group or user is added to the Users tab with the supervisor access level, they get automatically put into the Global PME user group where all resources are visible. But if Windows Group or user is added as a lower access level (controller, operator, user, observer) to the Users tab, AND there are more than one PME Groups present, then they will be placed in an Unassigned state. This means you have to go to the User Groups tab in User Manager and assign the user you have added on the User tab to a PME group.
Therefore, an extra step is required for lower than supervisor user-level IF and only if there are more than one groups configured. Basically that user needs to be added to a PME group that has the desired access level.