How to solve the DTD IS PROHIBITED error when connecting to SharePoint Online

Problem:

When configuring a connection to SharePoint Online in CodeTwo Backup, you get the following error:

Exception: For security reasons DTD is prohibited in this XML document.

This stops you from completing the connection wizard successfully.

Solution:

This problem is most likely caused by the DNS assistance service (also known as DNS hijacking or DNS redirection) used by your Internet Service Provider (ISP). When CodeTwo Backup tries to connect to SharePoint Online, the credentials that you entered in the Admin’s credentials step of the SharePoint Server connection wizard must be authenticated. To speed up the authentication process by using the correct server for your location, SharePoint requests a special XML file from msoid.[organization_name]
.onmicrosoft.com 
– a domain within your Office 365 tenant (the [organization_name] is the first part of your initial Office 365 domain name. For example, if your initial domain was my-first-company.onmicrosoft.com, the domain address would be msoid.my-first-company.onmicrosoft.com). If the DNS server is unable to resolve this query (usually because it does not contain a CNAME record for MSOID), it returns a 404 error. Upon receiving the 404 error, SharePoint switches authentication to a general, US-located authentication server, which means the authentication might be slower. However, if your ISP uses DNS assistance, instead of returning the 404 error, the DNS assistance returns an HTML file with search results for the unresolved query. Since the HTTP status code for the search results file is 200, SharePoint Online starts to behave as if it successfully connected to the authentication domain (msoid.[organization_name].onmicrosoft.com) and attempts to process the search results file as if it was the expected XML file.

Depending on your circumstances, there are several ways to solve this problem:

Adding a new CNAME record to your DNS server

If you run your own DNS server, you can add the following CNAME record to your DNS:

Type: CNAME
Alias/host name: MSOID
Address: clientconfig.microsoftonline-p.net

This way, the authentication query will be directed to the appropriate Microsoft server.

Turning off DNS assistance or switching to another DNS server without the DNS assistance service

Although not always possible, disabling DNS assistance or selecting another DNS server of your ISP that has no such a service will prevent SharePoint from getting the search results file when the ISP’s DNS server fails to resolve the query for msoid.[organization_name].onmicrosoft.com.

Switching the default DNS server to a DNS server run by another provider

You can, for example, switch to Google Public DNS, OpenDNS or any other trusted third-party DNS server. To do so:

  1. Go to Control Panel > Network and Sharing Center > Change adapter settings.
  2. Right-click your ethernet or wireless connection and select Properties.
  3. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
  4. Select the Use the following DNS server addresses option and provide the appropriate IP addresses (Fig. 1.), for example:
    • Google DNS:
      primary: 8.8.8.8
      secondary: 8.8.4.4
    • OpenDNS:
      primary: 208.67.222.222
      secondary: 208.67.220.220

720-1
Fig. 1. Changing the default DNS server settings.

  1. Click OK to save your configuration.
  2. Restart your machine.

The aim of this solution is to receive the 404 error and cause SharePoint Online to transfer the authentication process to the general authentication server.

Redirecting the authentication query to an address that will return a proper 404 error message 

You can modify the hosts file (located at %windir%\System32\drivers\etc\hosts) to redirect all authentication queries to your local IIS server by adding the following entries to the file:

127.0.0.1 msoid.[organization_name].onmicrosoft.com
127.0.0.1 msoid.onmicrosoft.com

​​Alternatively, if you don’t use IIS (Internet Information Services), you can redirect such queries to Google servers:

216.58.209.67 msoid.[organization_name​].onmicrosoft.com
216.58.209.67 msoid.onmicrosoft.com​

Make sure to substitute [organization_name] with the first part of your initial Office 365 domain name.

The aim of this solution is to receive the 404 error and cause SharePoint Online to transfer the authentication process to the general authentication server.