SSO Kerberos through NetScaler is  not working as DNS resolution is not taking place. Whenever the DNS response is more than 512 bytes, it is not sending the query with TCP even though the truncated flag is checked.
If we try to do a lookup for through DIG command or using host command from shell it works.
 

Citrix is working on this issue.Please contact Citrix for further information on this issue.

---

Problem Cause

“DNS-TCP” is not supported in a DNS Forward Proxy Deployment and any DNS Queries triggered through the VPN Module. The UDP to TCP switching happens only for the Queries generated by NetScaler mainly for resolving Domain Based Services(KDC resolution is one such example).Basically it not because the request is forwarded, it is because once the DNS API return truncated flag the cvpn module doesn’t know how to process the request in TCP format.
The queries made through the vpn module for name resolution is always UDP and  a DNS response with a Truncated Flag is ignored in the DNS Module itself for  the VPN Context.
 
Hence an enhancement request needs to be raised for the same.