Complete the following steps to authenticate multiple domains using NetScaler with ICA proxy and single sign-on:

1. Set up LDAP authentication to each domain that needs to be authenticated.

2. On each LDAP server configuration, set the SSO Name Attribute field to UserPrincipalName.

3. Ensure that the Single Sign-on Domain field in the Published Applications tab within the Session Profile is blank.
   This will cause the NetScaler to pass the credentials of the domain that was used to authenticate the user.

Citrix Documentation - Configuring Single Sign-On to Web Applications Using LDAP