What is the difference between a domain and a realm

Individually, the terms 'domain' and 'realm' mean nearly the same thing, but for different systems. Realms and realm names come from the Kerberos authentication protocol, where they serve practically the same purpose as domains and domain names. They have no direct relation, strictly speaking, but in practice nearly all Kerberos realms are named after the corresponding DNS domain.

Within Active Directory, AD 'domains' are an integrated system of DNS, LDAP, Kerberos, and various other components. An AD domain uses a DNS domain for server lookups, and the DNS domain name acts as a namespace for user accounts. Generally, an AD domain controller also acts as a DNS server for the corresponding DNS domain.

For example, user accounts have UPNs such as [email protected], which are made from the plain username suffixed with the case-insensitive DNS domain name (or a choice of several custom "UPN suffixes"). Service SPNs are formed in the same way.

But internally these names are converted to the equivalent "Kerberos principal name", which has a similar format and looks like [email protected]. The Kerberos realm name is always case-sensitive and by convention always uppercase. Each Active Directory domain acts as a Kerberos realm, and has exactly one realm name (even if multiple UPN suffixes are configured). Every AD domain controller also acts as a Kerberos KDC for the corresponding Kerberos realm.

(Normally, the only time you'll directly see Kerberos realms is when working with user authentication, e.g. configuring SSO for a Linux server.)

Accounts also have legacy NT-style names, such as EXAMPLE\fred, prefixed with the "NT domain" or "NetBIOS domain" name which is also uppercase but without any dots in it. Don't confuse this with a Kerberos realm name.

So what's the relation between AD domains, DNS domains, and Kerberos realms?

  • Each AD domain automatically has a Kerberos realm, and each AD account has a Kerberos principal. So the Kerberos realm is a subset of the AD domain. (However, Kerberos can also be used standalone without AD.)
  • Each AD domain relies on a DNS domain, but neither is a subset of the other (DNS may of course exist outside AD).
  • Kerberos uses (but does not require) DNS. Kerberos realms are usually named according to DNS domains, but otherwise neither is a subset of the other. Kerberos clients may optionally use DNS SRV records to discover the KDCs (if the realm name is DNS-based).

A Kerberos principal name is structured in the format

service/hostname@REALM.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/using_trusts

A Kerberos realm is the domain over which a Kerberos authentication server has the authority to authenticate a user, host or service. A realm name is often, but not always the upper case version of the name of the DNS domain over which it presides.21 Oct 2015

Domain to Kerberos Realm Mapping | Citrix Blogs enter image description here https://www.roguelynn.com/words/explain-like-im-5-kerberos/ This is the screen on Windows Server 2003. Explanation is based on the screen as an example. http://en.faq.buffalo-global.com/app/answers/detail/a_id/12992/p/31,33

enter image description here