This post describes a couple of ways to fix the issue “For security reasons DTD is prohibited in this XML document”. At least for me, it appeared when trying to access SharePoint Online using Powershell or a console program using OfficeDev.PnP (which in turn uses CSOM).
When running any piece of code, whether in PowerShell, .exe console or anything else than in the code behind relies on .NET Framework, you get an error like this:
For security reasons DTD is prohibited in this XML document. To enable DTD processing set the ProhibitDtd property on XmlReaderSettings to false and pass the settings into XmlReader.Create method.
It could come from, for example, running Connect-SPOnline on PowerShell. Ours was first caused by custom console app, but then also from running Powershell.
Reason for the problem
There are a number of issues that can cause this, and hence there are a few different solutions. We got the error when we were supposed to run Valo Intranet upgrade run, using a certain xml document, against SharePoint Online, so at first we thought it was somehow related to the XML. However, the error itself just denies the processing of an XML document with DTD, and doesn’t tell what this document actually is. For us, it actually had nothing to do with our implementation!
This happened on multiple different machines, and multiple different network connections, with any XML input, but just against one tenant (others worked) – so we figured it has to be about some configuration on that particular tenant or datacenter. Furthermore, Connect-SPOService (to admin site) worked, but Connect-SPOnline to normal site failed.
The third option worked for us, but I’ve read online and our internal resources that the other solutions have helped other people, so I’m including them here.
- A conflict between cmdlets(?)
- One colleague had fixed this by switching from Windows Powershell to SharePoint Online Management Shell. Didn’t help us.
- DNS issue
- Connecting to Microsoft’s datacenters might be trickier than you’d think. Interwebs is filled with stories about Microsoft just returning unresolvable DNS entries, which messes up the script, or your ISP might be trying to help and just makes the issue worse (by offering a “DNS help”-page which just omits the actual exception)
- This might be fixed with changing to Google’s DNS (188.8.131.52), adding new entries to hosts file, disabling ISP or router features or just simply running the program/script somewhere else – try Azure virtual machine, for example.
- Examples and references:
- https://blogs.technet.microsoft.com/marios_mo_betta_blog/2016/06/05/o365-powershell-error-dtd-is-prohibited-in-this-xml-document/ (that one’s about Verizon)
- Add IPv6 on top of DNS issues
- This was weird, but disabling IPv6 finally solved our issues
Weird issue, but in the end, an easy solution.
Latest posts by Antti K. Koskela (see all)
- Thanks for coming to my session at SPS New England 10/20 ! - October 20, 2018
- Speaking at SPS New England on 10/20! - October 17, 2018
- Ignite 2018 recap: What’s new for Azure Functions? - October 16, 2018
- Problematic behavior of web.AddSupportedUILanguage(int lcid) in SharePoint 2013 and 2016 - October 10, 2018