What is the technical definition of a Realm?

I'm setting up basic authentication within IIS7 and have run across the term Realm underneath Domain. Can someone explain to me what is meant by the Realm? I haven't come across it in this context before, thanks.


The Realm name is used to set the name for the HTTP basic authentication realm for that directory and subdirectories. It is presented to the browser by the server on each request, and the browser knows which stored password to send to the server based on the combination of site-name and realm-name. Without this mechanism there would be no way to require different passwords for different "areas" of a web site because there would be no differentiating criteria other than site name.

Hypothetically, iIf you had different areas of your site to which you wanted to require separate overt HTTP logons (a "/control-panel" virtual directory and a "/logs" virtual directory, for example) you could set each directory to use a different realm name.

The user could logon to access a "/control-panel/..." URL and would then be able to access all URLs in directories with the same realm name specified as the "/control-panel" directory. When the user attempted to access a "/logs/..." URL they would be prompted by their browser for another authentication because the realm name and site name don't correspond to a saved password (since "/logs" has a different realm name than "/control-panel").

Because IIS always back-ends basic authentication into a Windows domain this feature is mostly useless on IIS, admittedly. As an example of a useful application, suppose that the NTFS permissions on "/logs" allows unprivileged user access (with authentication) but "/control-panel" only allows administrator-level access. By setting the realm names differently for these directories you can allow a single browser session user to authenticate "twice" to the same server, supplying a different credential to IIS depending on what realm the access attempt is being made to.

On other web servers you are able to specify a completely different authentication source for different realms (.htpassword for one, LDAP for another) such that access to one resource might authenticate to one back-end versus another.