浏览器不断发送 NTLM 令牌而不是 Kerberos - 如何解决?
Browsers keeps sending NTLM token instead of Kerberos - How to solve it?
我似乎无法正确配置系统并让浏览器向网络服务器发送 kerberos 票证。而是发送 NTLM 令牌。
问:我该如何解决?
下面列出了所有详细信息和配置。
基础设施:
我在域内有三台机器COMPANY.local:
PC-I7.COMPANY.local(在 192.168.0.5 上)。它充当 KDC,它是一个 Active-Directory 服务器,其他机器(见下文)在 AD 中注册。还为本地网络配置了 DNS。 Active Directory 中的域是:COMPANY.localSOFTWARE.COMPANY.local(在 192.168.0.10 上)运行配置了 Jetty/SPNego 支持的 jetty 网络应用程序。OTHER.COMPANY.local(在192.168.0.9),只是一个客户端,所以我可以从另一台机器访问软件服务器。
最后两个实际上是VMs 运行在内网的linux服务器上。他们可以使用自己的 IP 访问。他们在 Network Configuration 中的主要 DNS 指向 192.168.0.5.
两者都加入 COMPANY.local 并作为计算机出现在 AD。
我知道客户端和服务器should stay on different machines;将它们放在两个不同的 VM 上应该可以避免这个问题。
所有三台机器都在 DNS 中注册为 A 主机,并在 Reverse lookup zone.
中为每台机器都注册了一个反向指针
SPN
在 Active Directory 中创建用户 software 后,我生成密钥表文件
ktpass -princ HTTP/software.company.local@COMPANY.LOCAL -mapuser software@COMPANY.LOCAL -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass __PassForADUserSoftware__ -out C:/winnt/krb5.keytab
我得到以下似乎包含错误的输出:
Targeting domain controller: PC-I7.COMPANY.local
Failed to set property 'userPrincipalName' to 'HTTP/software.company.local@COMPANY.LOCAL' on Dn 'CN=Software SSO Kerberized WebServer,DC=COMPANY,DC=local': 0x13.
WARNING: Failed to set UPN HTTP/software.company.local@COMPANY.LOCAL on CN=Software SSO Kerberized WebServer,DC=COMPANY,DC=local.
kinits to 'HTTP/software.company.local@COMPANY.LOCAL' will fail.
Successfully mapped HTTP/software.company.local to software.
Password successfully set!
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to C:/winnt/krb5.keytab:
Keytab version: 0x502
keysize 64 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x1 (DES-CBC-CRC) keylength 8 (0x0bf1688040abadba)
keysize 64 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x0bf1688040abadba)
keysize 72 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x17 (RC4-HMAC) keylength 16 (0x737d9811dd38e108741461ba79153192)
keysize 88 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x12 (AES256-SHA1) keylength 32 (0xcc8ab2939f822f9df6904a987954e0cfaa261bc36803af6c5f8d9a98f1d4f2aa)
keysize 72 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x11 (AES128-SHA1) keylength 16 (0xd616b814dcd1b955f125ab4de5895d39)
AD 用户选中了两个 This account supports the Kerbers AES-... 复选框。
OTHER.COMPANY.local服务器
我通过 RDP 使用凭据登录到这台机器:
user: Administrator
pass: ARandomPass
当从 OTHER 服务器请求票时
kinit HTTP/software.company.local@COMPANY.LOCAL
我可以看到这个数据包 wireshark
Internet Explorer(因此 Chrome)在 Internet Options 中具有以下设置:
Security > Local Intranet > Sites > *.company.local
Security > Custom level > Automatic logon only in Intranet area
当我在 http://software.company.local:8998/software/login
上访问 Web 应用程序时
我可以看到浏览器发送了一个 NTLM 请求
我可以在服务器端看到
WARN:oejs.SpnegoLoginService:qtp506835709-28:
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.eclipse.jetty.security.SpnegoLoginService.login(SpnegoLoginService.java:138)
at org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:61)
at org.eclipse.jetty.security.authentication.SpnegoAuthenticator.validateRequest(SpnegoAuthenticator.java:99)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:483)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)
at org.eclipse.jetty.server.Server.handle(Server.java:524)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:319)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:253)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
at org.eclipse.jetty.io.SelectChannelEndPoint.run(SelectChannelEndPoint.java:93)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)
at org.eclipse.jetty.util.thread.QueuedThreadPool.run(QueuedThreadPool.java:589)
at java.lang.Thread.run(Thread.java:748)
此信息也出现在 java 日志中:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false
ticketCache is null isInitiator false
KeyTab is C:/software/inst/modules/common-config/auth/krb5.keytab refreshKrb5Config is false
principal is HTTP/software.company.local@COMPANY.LOCAL tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
我可以从链接的答案中收集到的信息:
第1点:HTTP服务的SPN与浏览器输入的URL匹配。我在浏览器里输入software.company.local 和SPN一样HTTP/software.company.local@COMPANY.LOCAL
第 2 点:*.company.local 添加到受信任的站点。
第 3 点:我没有将加密限制为 DES-CBC-MD5
第 3 点:我检查了 AES-128 和 AES-256 ... 但没有检查 DES 因为我正在使用的 Windows 服务器版本有复选框说 Use only Kerberos DES encryption types for this account,这不是我想要的。我应该检查一下吗?
SOFTWARE.COMPANY.local服务器
jetty 网络应用程序已注册为 Windows 服务器。
这些是配置文件:
krb5.ini 文件:
[libdefaults]
default_realm = COMPANY.LOCAL
permitted_enctypes = rc4-hmac,aes128-cts,aes256-cts,arcfour-hmac-md5,aes256-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes128-cts,aes256-cts,arcfour-hmac-md5,aes256-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac,aes128-cts,aes256-cts,arcfour-hmac-md5,aes256-cts-hmac-sha1-96
default_keytab_name = FILE:C:/software/inst/modules/common-config/krb5.keytab
[domain_realm]
COMPANY.local = COMPANY.LOCAL
.company.local = COMPANY.LOCAL
[realms]
COMPANY.LOCAL = {
admin_server = PC-I7.COMPANY.local
kdc = PC-I7.COMPANY.local:88
}
spnego.conf 文件:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal = "HTTP/software.company.local@COMPANY.LOCAL"
keyTab = "C:/software/inst/modules/common-config/auth/krb5.keytab"
useKeyTab = true
storeKey = true
debug = true
isInitiator = false;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal = "HTTP/software.company.local@COMPANY.LOCAL"
useKeyTab = true
keyTab = "C:/software/inst/modules/common-config/auth/krb5.keytab"
storeKey=true
debug=true
isInitiator=false;
};
这是 spnego.properties 文件:
targetName = HTTP/software.company.local
我的 jetty-web.xml 配置文件包含:
<Get name="securityHandler">
<Set name="loginService">
<New class="org.eclipse.jetty.security.SpnegoLoginService">
<Set name="name">Company Realm</Set>
<Set name="config">
<SystemProperty name="jetty.home" default="."/>/modules/common-config/auth/spnego.properties</Set>
</New>
</Set>
<Set name="checkWelcomeFiles">true</Set>
</Get>
这就是我在 Java 中以编程方式注册 spnego 配置的方式:
private SecurityHandler wrapEnableSSOAuthHandlers(final Handler collection) {
// ini file
System.setProperty(
"java.security.krb5.conf",
_config.getString("authentication.win_sso.spnego.krb5") // the krb5.ini file
);
System.setProperty(
"java.security.auth.login.config",
_config.getString("authentication.win_sso.spnego.login") // the spnego.conf file
);
System.setProperty(
"javax.security.auth.useSubjectCredsOnly",
"false"
);
final Constraint spnegoConstraint = new Constraint();
spnegoConstraint.setName(Constraint.__SPNEGO_AUTH);
final String domainRealm = _config.getString("authentication.win_sso.domain.realm"); // resolves to COMPANY.LOCAL
spnegoConstraint.setRoles(new String[]{domainRealm});
spnegoConstraint.setAuthenticate(true);
final ConstraintMapping mapping = new ConstraintMapping();
mapping.setConstraint(spnegoConstraint);
mapping.setPathSpec("/*");
final String spnegoProperties = _config.getString("authentication.win_sso.spnego.properties"); // the spnego.properties file
final SpnegoLoginService loginService = new SpnegoLoginService();
loginService.setConfig(spnegoProperties);
loginService.setName(domainRealm);
final ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
securityHandler.setLoginService(loginService);
securityHandler.setConstraintMappings(new ConstraintMapping[]{mapping});
securityHandler.setRealmName(domainRealm);
securityHandler.setAuthenticator(new SpnegoAuthenticator());
securityHandler.setHandler(collection);
return securityHandler;
}
和
// here I disable the TRACE method for all calls
Handler wrappedSecurityHandler = wrapDisableTraceHandlers(handlers);
wrappedSecurityHandler = wrapEnableSSOAuthHandlers(wrappedSecurityHandler);
_server.setHandler(wrappedSecurityHandler);
编辑 1:附加信息
我已经下载了 Kerberos Authentication Tester Tool,当 运行 从 KDC 服务器 (192.168.0.5) 下载并针对 http://software.company.local:8998 进行测试时,它显示了正确的 Kerberos认证。
当 运行 它来自 192.168.0.10 服务器(浏览器所在的位置)时,它说:
Unexpected authorization header
和身份验证方法:NTLM.
我猜这是一个 DNS 问题,或者它们是两个 VM 在同一台服务器上。
显然,在两个不同的虚拟机(在同一个 物理服务器上!)拥有客户端和服务器可以导致 NTLM 令牌。
我以为 VM 会躲过 client-and-server-on-the-same-machine-issue。
所以,如果你
- 像我一样,正在测试
VM 驻留在同一台物理机器上,并且
- 已将所有设置正确,但仍然得到
Defective token detected、
您应该尝试从另一台计算机访问 server(只要该计算机已加入公司域)。
我似乎无法正确配置系统并让浏览器向网络服务器发送 kerberos 票证。而是发送 NTLM 令牌。
问:我该如何解决?
下面列出了所有详细信息和配置。
基础设施:
我在域内有三台机器COMPANY.local:
PC-I7.COMPANY.local(在192.168.0.5上)。它充当KDC,它是一个Active-Directory服务器,其他机器(见下文)在 AD 中注册。还为本地网络配置了DNS。 Active Directory 中的域是:COMPANY.localSOFTWARE.COMPANY.local(在192.168.0.10上)运行配置了Jetty/SPNego支持的OTHER.COMPANY.local(在192.168.0.9),只是一个客户端,所以我可以从另一台机器访问软件服务器。
最后两个实际上是VMs 运行在内网的linux服务器上。他们可以使用自己的 IP 访问。他们在 Network Configuration 中的主要 DNS 指向 192.168.0.5.
两者都加入 COMPANY.local 并作为计算机出现在 AD。
我知道客户端和服务器should stay on different machines;将它们放在两个不同的 VM 上应该可以避免这个问题。
所有三台机器都在 DNS 中注册为 A 主机,并在 Reverse lookup zone.
SPN
在 Active Directory 中创建用户 software 后,我生成密钥表文件
ktpass -princ HTTP/software.company.local@COMPANY.LOCAL -mapuser software@COMPANY.LOCAL -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass __PassForADUserSoftware__ -out C:/winnt/krb5.keytab
我得到以下似乎包含错误的输出:
Targeting domain controller: PC-I7.COMPANY.local
Failed to set property 'userPrincipalName' to 'HTTP/software.company.local@COMPANY.LOCAL' on Dn 'CN=Software SSO Kerberized WebServer,DC=COMPANY,DC=local': 0x13.
WARNING: Failed to set UPN HTTP/software.company.local@COMPANY.LOCAL on CN=Software SSO Kerberized WebServer,DC=COMPANY,DC=local.
kinits to 'HTTP/software.company.local@COMPANY.LOCAL' will fail.
Successfully mapped HTTP/software.company.local to software.
Password successfully set!
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to C:/winnt/krb5.keytab:
Keytab version: 0x502
keysize 64 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x1 (DES-CBC-CRC) keylength 8 (0x0bf1688040abadba)
keysize 64 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x0bf1688040abadba)
keysize 72 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x17 (RC4-HMAC) keylength 16 (0x737d9811dd38e108741461ba79153192)
keysize 88 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x12 (AES256-SHA1) keylength 32 (0xcc8ab2939f822f9df6904a987954e0cfaa261bc36803af6c5f8d9a98f1d4f2aa)
keysize 72 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x11 (AES128-SHA1) keylength 16 (0xd616b814dcd1b955f125ab4de5895d39)
AD 用户选中了两个 This account supports the Kerbers AES-... 复选框。
OTHER.COMPANY.local服务器
我通过 RDP 使用凭据登录到这台机器:
user: Administrator
pass: ARandomPass
当从 OTHER 服务器请求票时
kinit HTTP/software.company.local@COMPANY.LOCAL
我可以看到这个数据包 wireshark
Internet Explorer(因此 Chrome)在 Internet Options 中具有以下设置:
Security > Local Intranet > Sites > *.company.local
Security > Custom level > Automatic logon only in Intranet area
当我在 http://software.company.local:8998/software/login
我可以看到浏览器发送了一个 NTLM 请求
我可以在服务器端看到
WARN:oejs.SpnegoLoginService:qtp506835709-28:
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.eclipse.jetty.security.SpnegoLoginService.login(SpnegoLoginService.java:138)
at org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:61)
at org.eclipse.jetty.security.authentication.SpnegoAuthenticator.validateRequest(SpnegoAuthenticator.java:99)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:483)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)
at org.eclipse.jetty.server.Server.handle(Server.java:524)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:319)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:253)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
at org.eclipse.jetty.io.SelectChannelEndPoint.run(SelectChannelEndPoint.java:93)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)
at org.eclipse.jetty.util.thread.QueuedThreadPool.run(QueuedThreadPool.java:589)
at java.lang.Thread.run(Thread.java:748)
此信息也出现在 java 日志中:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false
ticketCache is null isInitiator false
KeyTab is C:/software/inst/modules/common-config/auth/krb5.keytab refreshKrb5Config is false
principal is HTTP/software.company.local@COMPANY.LOCAL tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
我可以从链接的答案中收集到的信息:
第1点:HTTP服务的SPN与浏览器输入的URL匹配。我在浏览器里输入
software.company.local和SPN一样HTTP/software.company.local@COMPANY.LOCAL第 2 点:
*.company.local添加到受信任的站点。第 3 点:我没有将加密限制为
DES-CBC-MD5第 3 点:我检查了
AES-128和AES-256... 但没有检查DES因为我正在使用的 Windows 服务器版本有复选框说Use only Kerberos DES encryption types for this account,这不是我想要的。我应该检查一下吗?
SOFTWARE.COMPANY.local服务器
这些是配置文件:
krb5.ini 文件:
[libdefaults]
default_realm = COMPANY.LOCAL
permitted_enctypes = rc4-hmac,aes128-cts,aes256-cts,arcfour-hmac-md5,aes256-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes128-cts,aes256-cts,arcfour-hmac-md5,aes256-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac,aes128-cts,aes256-cts,arcfour-hmac-md5,aes256-cts-hmac-sha1-96
default_keytab_name = FILE:C:/software/inst/modules/common-config/krb5.keytab
[domain_realm]
COMPANY.local = COMPANY.LOCAL
.company.local = COMPANY.LOCAL
[realms]
COMPANY.LOCAL = {
admin_server = PC-I7.COMPANY.local
kdc = PC-I7.COMPANY.local:88
}
spnego.conf 文件:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal = "HTTP/software.company.local@COMPANY.LOCAL"
keyTab = "C:/software/inst/modules/common-config/auth/krb5.keytab"
useKeyTab = true
storeKey = true
debug = true
isInitiator = false;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal = "HTTP/software.company.local@COMPANY.LOCAL"
useKeyTab = true
keyTab = "C:/software/inst/modules/common-config/auth/krb5.keytab"
storeKey=true
debug=true
isInitiator=false;
};
这是 spnego.properties 文件:
targetName = HTTP/software.company.local
我的 jetty-web.xml 配置文件包含:
<Get name="securityHandler">
<Set name="loginService">
<New class="org.eclipse.jetty.security.SpnegoLoginService">
<Set name="name">Company Realm</Set>
<Set name="config">
<SystemProperty name="jetty.home" default="."/>/modules/common-config/auth/spnego.properties</Set>
</New>
</Set>
<Set name="checkWelcomeFiles">true</Set>
</Get>
这就是我在 Java 中以编程方式注册 spnego 配置的方式:
private SecurityHandler wrapEnableSSOAuthHandlers(final Handler collection) {
// ini file
System.setProperty(
"java.security.krb5.conf",
_config.getString("authentication.win_sso.spnego.krb5") // the krb5.ini file
);
System.setProperty(
"java.security.auth.login.config",
_config.getString("authentication.win_sso.spnego.login") // the spnego.conf file
);
System.setProperty(
"javax.security.auth.useSubjectCredsOnly",
"false"
);
final Constraint spnegoConstraint = new Constraint();
spnegoConstraint.setName(Constraint.__SPNEGO_AUTH);
final String domainRealm = _config.getString("authentication.win_sso.domain.realm"); // resolves to COMPANY.LOCAL
spnegoConstraint.setRoles(new String[]{domainRealm});
spnegoConstraint.setAuthenticate(true);
final ConstraintMapping mapping = new ConstraintMapping();
mapping.setConstraint(spnegoConstraint);
mapping.setPathSpec("/*");
final String spnegoProperties = _config.getString("authentication.win_sso.spnego.properties"); // the spnego.properties file
final SpnegoLoginService loginService = new SpnegoLoginService();
loginService.setConfig(spnegoProperties);
loginService.setName(domainRealm);
final ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
securityHandler.setLoginService(loginService);
securityHandler.setConstraintMappings(new ConstraintMapping[]{mapping});
securityHandler.setRealmName(domainRealm);
securityHandler.setAuthenticator(new SpnegoAuthenticator());
securityHandler.setHandler(collection);
return securityHandler;
}
和
// here I disable the TRACE method for all calls
Handler wrappedSecurityHandler = wrapDisableTraceHandlers(handlers);
wrappedSecurityHandler = wrapEnableSSOAuthHandlers(wrappedSecurityHandler);
_server.setHandler(wrappedSecurityHandler);
编辑 1:附加信息
我已经下载了 Kerberos Authentication Tester Tool,当 运行 从 KDC 服务器 (192.168.0.5) 下载并针对 http://software.company.local:8998 进行测试时,它显示了正确的 Kerberos认证。
当 运行 它来自 192.168.0.10 服务器(浏览器所在的位置)时,它说:
Unexpected authorization header
和身份验证方法:NTLM.
我猜这是一个 DNS 问题,或者它们是两个 VM 在同一台服务器上。
显然,在两个不同的虚拟机(在同一个 物理服务器上!)拥有客户端和服务器可以导致 NTLM 令牌。
我以为 VM 会躲过 client-and-server-on-the-same-machine-issue。
所以,如果你
- 像我一样,正在测试
VM驻留在同一台物理机器上,并且 - 已将所有设置正确,但仍然得到
Defective token detected、
您应该尝试从另一台计算机访问 server(只要该计算机已加入公司域)。