In CA PAM version 4.1.5 the possibility of enabling Kerberos for Active Directory connectors was introduced. 

This allowed for Password rotation of Active Directory users being a member of the Protected Users groups to be enabled. Protected Users utilize Kerberos for login and password management, and hence this was a requirement for password rotation to work

On the other hand, RDP Proxy with Kerberos is also a possible option for using RDP as a service for logging in to a Remote Windows machine from CA PAM

This means, combining a Windows AD  Kerberos-enabled target connector with the RDP Proxy Kerberos login configuration, it is possible to use Protected Users to log in to remote workstations.

The problem arises when several domains with Protected Users are being managed in CA PAM. In these cases, one can define a Kerberos-enabled AD target connector for each domain, which can be used to rotate the passwords of Protected Users in each one, but the issue is if these same users want to do autologin to a remote Windows machine using CA PAM

The RDP Proxy allows to define a single Kerberos Realm, so if we have multiple domains, is it possible in any way to define several Kerberos Realms, to be used to do autologin to the diferent domains using Protected Users whose passwords are being successfully managed via the respective Kerberos-enabled AD connectors ?

CA PAM all releases below 4.3.2 

No, this is a known limitation. Only one realm can be defined per RDP Proxy. So if you have multiple domains with Protected Users defined and the respective Kerberos-enabled AD connectors are used to rotate their passwords, only the users for the domain/realm defined in the RDP Proxy kerberos configuration will be able to do login to remote Windows machines using the RDP Proxy service. Protected users, on the other hand, is not supported so far for Applet login.