There are a number of components to configure to get Kerberos Pass-Through Authentication working for the Citrix Presentation Server Client for Macintosh 10 on OS X including:

- Binding Mac OS X to Active Directory
- Checking Kerberos Functionallity
- Enable Kerberos Delegation on the Presentation Server computer account
- Create a Citrix connection in the Citrix ICA Client Editor

And also some troubleshooting may be required:

- Citrix Servers may require Microsoft Hotfix 940925 for LSA generated an exception
- Enable Kerberos Logging in the System Event Log
- Service Logons Fail Due to Incorrectly Set SPNs

Binding Mac OS X to Active Directory

- Double check that the Mac OS X client is pointed to your AD server for DNS.
- Open /Applications/Utilities and launch Directory Access.
- Check the Active Directory plugin checkbox.
- Click on the Configure... button.
- Provide the directory domain and a computer ID
- Click on the Bind button and provide your AD credentials
- Log off and logon as an Active Directory user

Checking Kerberos Functionallity

- Logon as an Active Directory user
- Access Active Directory resources such as SMB Shares/ISA Server
- In the Finder, navigate to /System/Library/CoreServices and launch the Kerberos application.

You should see that the user obtained a ticket granting ticket from the KDC in the realm you created.

Enable Kerberos Delegation on the Presentation Server computer account in Active Directory Users and Computers

- Right click the Presentation Server computer account and select Properties from the context menu
- Select the Delegation tab
- Select the Trust this computer for delegation to any service (Kerberos only) radio button and click OK

Assuming the Citrix Presentation Server Client for Macintosh is installed:
http://www.citrix.com/English/SS/downloads/details.asp?dID=2755&downloadID=3250&pID=186

Create a Citrix connection in the Citrix ICA Client Editor

- Open /Applications/Citrix ICA Client/Citrix ICA Client Editor
- Select Published Application
- Click Browse to select the required Published Application
- Select the Kerberos Passthrough Authentication option to connect automatically with the credentials configured in the Macintosh Kerberos application.
- Click Save
- Click Connect to Start the ICA session

Citrix Servers may require Microsoft Hotfix 940925 for the following errors:

- Event ID 5000 : The security package LSA generated an exception
- Event ID 26: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code -1073741819
- Event ID 1076: System Failure: Stop error Reason Code: 0x805000f

If Kerberos authenticates against the Presentation Server, but not other servers:

- Enable Kerberos Logging in the System Event Log (MSKB: 262177)
- List SPNs of hosts that cannot be accessed using the command SETSPN -L <servername>

Leveraging Active Directory on Mac OS X
http://theether.net/download/Apple/Mac/Leveraging_AD_on_MOSXS_1.1.pdf
VI. Active Directory integration

Citrix Presentation Server Client for Macintosh Administrator’s Guide
http://theether.net/download/Citrix/macclient_osx.pdf

A Windows Server 2003-based domain controller restarts unexpectedly after you install hotfix 918442 or Windows Server 2003 Service Pack 2
http://support.microsoft.com/kb/940925

How to enable Kerberos event logging
http://support.microsoft.com/kb/262177

Service Logons Fail Due to Incorrectly Set SPNs
http://technet2.microsoft.com/windowsserver/en/library/579246c8-2e32-4282-bce7-3209d1ea8bf11033.mspx?mfr=true

Troubleshooting Kerberos Errors
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

Service Principal Names and Delegation in Presentation Server
http://support.citrix.com/article/CTX110784

How to consolidate print servers by using DNS alias (CNAME) records in Windows Server 2003 and in Windows 2000 Server
http://support.microsoft.com/kb/870911

Register the Kerberos service principal names (SPNs)
You must register the Kerberos service principal names (SPNs), the host name, and the fully-qualified domain name (FQDN) for all the new DNS alias (CNAME) records. If you do not do this, a Kerberos ticket request for a DNS alias (CNAME) record may fail and return the following error code:

KDC_ERR_S_SPRINCIPAL_UNKNOWN

To view the Kerberos SPNs for the new DNS alias records, use the Setspn command-line tool (Setspn.exe). To do this, type the following command at the command prompt:

setspn -L computername 

To register the SPN for the DNS alias (CNAME) records, use the Setspn tool with the following syntax:

setspn -A host/your_ALIAS_name computername
setspn -A host/your_ALIAS_name.company.com computername

Note The Setspn tool is included in Windows Server 2003 Support Tools. You can install Windows Server 2003 Support Tools from the Support\Tools folder of the Windows Server 2003 startup disk.