Kerberos is complicated, but you should not over-complicate it. Kerberos Deligation in most use-cases is not needed. Instead you can configure Kerberos Impersonation in just 2 steps..
When you configure a AAA Vserver, by default the netscaler will try to do NTLM (worst case basic) authentication for the end user towards the backend server. If Kerberos authentication is needed towards the backend servers, just create a “dummy” KCD account, with the upn-realm for the user.
add aaa kcdAccount kcdaccount1 –realmStr EXAMPLE.COM
bind this account to the AAA-SessionAction..
Make sure the NetScaler has an NTP server running, time is critical.
Make sure the NetScaler can resolve the upn-realm using DNS…
Make sure you configure your server objects DNS based (avoid using ip addresses)
it’s easier than you think..