How to solve the DTD IS PROHIBITED error when connecting to SharePoint Online
Problem:
When configuring a connection to SharePoint Online in CodeTwo Backup, you get the following error:
Exception: For security reasons DTD is prohibited in this XML document.
This stops you from completing the connection wizard successfully.
Solution:
This problem is most likely caused by the DNS assistance service (also known as DNS hijacking or DNS redirection) used by your Internet Service Provider (ISP). When CodeTwo Backup tries to connect to SharePoint Online, the credentials that you entered in the Admin’s credentials step of the SharePoint Server connection wizard must be authenticated. To speed up the authentication process by using the correct server for your location, SharePoint requests a special XML file from msoid.[organization_name]
.onmicrosoft.com – a domain within your Office 365 tenant (the [organization_name] is the first part of your initial Office 365 domain name. For example, if your initial domain was my-first-company.onmicrosoft.com, the domain address would be msoid.my-first-company.onmicrosoft.com). If the DNS server is unable to resolve this query (usually because it does not contain a CNAME record for MSOID), it returns a 404 error. Upon receiving the 404 error, SharePoint switches authentication to a general, US-located authentication server, which means the authentication might be slower. However, if your ISP uses DNS assistance, instead of returning the 404 error, the DNS assistance returns an HTML file with search results for the unresolved query. Since the HTTP status code for the search results file is 200, SharePoint Online starts to behave as if it successfully connected to the authentication domain (msoid.[organization_name].onmicrosoft.com) and attempts to process the search results file as if it was the expected XML file.
Depending on your circumstances, there are several ways to solve this problem:
- add a new CNAME record to your DNS server
- turn off DNS assistance or switch to another DNS server without the DNS assistance service
- switch the default DNS server to a DNS server run by another provider
- redirect the authentication query to an address that will return a proper 404 error message
Adding a new CNAME record to your DNS server
If you run your own DNS server, you can add the following CNAME record to your DNS:
Type: CNAME
Alias/host name:MSOID
Address:clientconfig.microsoftonline-p.net
This way, the authentication query will be directed to the appropriate Microsoft server.
Turning off DNS assistance or switching to another DNS server without the DNS assistance service
Although not always possible, disabling DNS assistance or selecting another DNS server of your ISP that has no such a service will prevent SharePoint from getting the search results file when the ISP’s DNS server fails to resolve the query for msoid.[organization_name].onmicrosoft.com.
Switching the default DNS server to a DNS server run by another provider
You can, for example, switch to Google Public DNS, OpenDNS or any other trusted third-party DNS server. To do so:
- Go to Control Panel > Network and Sharing Center > Change adapter settings.
- Right-click your ethernet or wireless connection and select Properties.
- Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
- Select the Use the following DNS server addresses option and provide the appropriate IP addresses (Fig. 1.), for example:
- Google DNS:
primary: 8.8.8.8
secondary: 8.8.4.4 - OpenDNS:
primary: 208.67.222.222
secondary: 208.67.220.220
- Google DNS:
Fig. 1. Changing the default DNS server settings.
- Click OK to save your configuration.
- Restart your machine.
The aim of this solution is to receive the 404 error and cause SharePoint Online to transfer the authentication process to the general authentication server.
Redirecting the authentication query to an address that will return a proper 404 error message
You can modify the hosts file (located at %windir%\System32\drivers\etc\hosts) to redirect all authentication queries to your local IIS server by adding the following entries to the file:
127.0.0.1 msoid.[organization_name].onmicrosoft.com 127.0.0.1 msoid.onmicrosoft.com
Alternatively, if you don’t use IIS (Internet Information Services), you can redirect such queries to Google servers:
216.58.209.67 msoid.[organization_name].onmicrosoft.com 216.58.209.67 msoid.onmicrosoft.com
Make sure to substitute [organization_name] with the first part of your initial Office 365 domain name.
The aim of this solution is to receive the 404 error and cause SharePoint Online to transfer the authentication process to the general authentication server.
Related products: | CodeTwo Backup for Office 365 |
Categories: | Troubleshooting |
Last modified: | October 25, 2018 |
Created: | May 10, 2018 |
ID: | 720 |