Search code examples
office-jsoffice-addinsoutlook-web-addinsappsource

Microsoft O365 Add-In "Installation failed"

I have a valid and verified Add-In/manifest which passes npm run validate. I as well as hundreds of users are able to download my manifest through a link. However some users have been facing this error:

This app can't be installed. The manifest XML file isn't valid. For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the setting into XmlReaderCreate method.

enter image description here

In what situations can an error like this appear for some users?

Solution

  • I have actually bumped into this issue a year ago. Like @OutlookAdd-insTeam-MSFT suggested, I also believe this is related to networking, specifically to DNS.

    Here's what I was able to find out, but unfortunately my client never came back and confirmed if it was useful.

    (Please note that parts of the text is quoted from the sites listed at the bottom.)

    Error message

    Application cannot be installed. Manifest XML is not valid. For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.

    Why this happens?

    When the manifest.xml is read by O365, it is being resolved via msoid.[organization_name].onmicrosoft.com and msoid.onmicrosoft.com. If this fails (due to a typo in etc.), a HTTP 404 error is invoked. At this point your ISP's DNS server should take over and offer to resolve the address according to it's CNAME record table. However, some organizations might have an additional DNS assistance in place. Once a 404 error is detected by msoid resolver service, the ISP's DNS will try to take over the DNS resolving (DNS assistance). When that fails (due to a missing CNAME record or a typo), it returns an HTML-formatted query result back to O365. It is basically HTTP 200 response which is interpreted by O365 as a successful authentication. After this O365 starts to process the HTML-formatted response as if it was the original manifest.xml. And as the HTML contains a DTD declaration in an incorrect way, you receive the error "For security reasons DTD is prohibited in this XML document".

    Possible solutions:

    a) Make sure DNS settings on the client's computer are set correctly.

    b) Temporarily switch to another DNS server (e.g. Google DNS)

    d) Turn off DNS assistance service (if applicable)

    Please see the articles below for more information:

    https://www.codetwo.com/kb/dtd-prohibited/

    https://www.veeam.com/kb2821

    http://sharepointers.blogspot.com/2017/03/connect-pnponline-for-security-reasons.html

    https://learn.microsoft.com/fi-fi/office365/admin/services-in-china/purpose-of-cname?redirectSourcePath=%252fen-us%252farticle%252fWhat-s-the-purpose-of-the-Office-365-CNAME-record-for-msoid-19b67e2b-1b28-4432-8cca-394803fbdc87&view=o365-21vianet

    https://blogs.msdn.microsoft.com/joerg_sinemus/2017/07/10/sharepoint-online-vanity-domain-powershell-csom-and-the-msoid-cname-record/