Question: 
How to get the Kerberos cross domain SSO to work with NetScaler deployment ?

Answer:
We need to configure the -EnterpriseRealm in KCDAccount to match with the domain in which backend application is hosted.If this option is configured NS will append the EnterpriseRealm string to ClientPrincipalName while trying KCD SSO.
 
For example, let’s say we have a domain ‘example.com’ that has child domains like ‘test1.example.com’ and ‘test2.example.com’. All these domains should have full bidirectional trust. Now I have a backend service hosted in ‘test2.example.com’ domain which users from both domains will try to access, then I need to configure ‘-Enterprise Realm’ setting on the KCD account to ‘test2.example.com’ domain so that cross domain service tickets can be attained.