This post was most recently updated on January 5th, 2019.Reading Time: 3 minutes.
This post describes a couple of ways to fix the issue “For security reasons DTD is prohibited in this XML document”. At least for me, it appeared when trying to access SharePoint Online using Powershell or a console program using OfficeDev.PnP (which in turn uses CSOM).
When running any piece of code, whether in PowerShell, .exe console or anything else than in the code behind relies on .NET Framework, you get an error like this:
For security reasons DTD is prohibited in this XML document. To enable DTD processing set the ProhibitDtd property on XmlReaderSettings to false and pass the settings into XmlReader.Create method.
It could come from, for example, running Connect-SPOnline on PowerShell. Ours was first caused by custom console app, but then also from running Powershell.
Reason for the problem
There are a number of issues that can cause this, and hence there are a few different solutions.
We got the error when we were supposed to provision certain artefacts on SharePoint online using PowerShell, based on an xml document describing the steps – think PnP provisioning templates. This led us to think it was somehow related to the XML file in question. This seemed logical.
However, the error itself just denies the processing of an XML document with DTD, and doesn’t tell what this document actually is. Besides, why would a document with a DTD (Document Type Definition, typically used to describe the schema and structure of the document) suddenly became invalid, while it worked just the day before?
Well, of course, because it actually had nothing to do with our implementation!
This happened on multiple different machines, and multiple different network connections, with any XML input, but just against one tenant (others worked) – so we figured it has to be about some configuration on that particular tenant or datacenter. Furthermore, Connect-SPOService (to admin site) worked, but Connect-SPOnline to normal site failed.
That’s curious, right?
As per usual with issues in SharePoint Online, there’s multiple different solutions.
The third option worked for us, but I’ve read online and our internal resources that the other solutions have helped other people (even though they didn’t help us), so I’m including them here.
- A conflict between cmdlets(?)
- One colleague had fixed this by switching from Windows Powershell to SharePoint Online Management Shell. Didn’t help us.
- Is it a DNS issue? It’s always a DNS issue, isn’t it!
- Connecting to Microsoft’s datacenters might be trickier than you’d think. Interwebs is filled with stories about Microsoft just returning unresolvable DNS entries, which messes up the script, or your ISP might be trying to help and just makes the issue worse (by offering a “DNS help”-page which just omits the actual exception)
- This might be fixed with changing to Google’s DNS (188.8.131.52), adding new entries to hosts file, disabling ISP or router features or just simply running the program/script somewhere else – try Azure virtual machine, for example.
- It’s not DNS messing up? Then maybe it’s IPv6!
- This was weird, but disabling IPv6 finally solved our issues
Weird issue, but in the end, an easy solution.
Links and references
- More information about the DNS issues:
- https://blogs.technet.microsoft.com/marios_mo_betta_blog/2016/06/05/o365-powershell-error-dtd-is-prohibited-in-this-xml-document/ (that one’s about Verizon)
- More info about the IPv6 issues:
Normally, I’d make those entries into links, but apparently Gutenberg (WordPress’ new editor) crashes if I do that, so I’m just not gonna. Sorry!
- How to fix “System.IO.FileSystem: Could not find a part of the path \AppData\Local\AzureFunctionsTools\Releases\3.17.0\workers. Value cannot be null. (Parameter ‘provider’)” when running Azure Functions locally? - January 12, 2021
- How to nuke the Identity Cache in Visual Studio? - January 11, 2021
- Fixing unexpected Microsoft.AspNetCore package errors after a dependency update - January 6, 2021