I've created a new site using the Citrix management console and specified the '3rd party via Kerberos' option for where logon occurs.
I'm successfully authenticating to my domain having setup a AD/NT authentication server (I do get a pre-authentication failed event for user 'vc0000????????$' associated with this - not sure if this is relevant).
The connection to the citrix web interface is always rejected however - message is 'a logon attempt has been made by an unauthenticated user ...'.
I've attempted using the 'autopolicy: single sign-on' option on the Web Resource profile. Using the default settings other than to set my domain name and unticking the 'send the following data ...' option (as this has caused issues elsewhere and i don't require the client check anyway).
Have I missed something? Are the default SSO settings correct for WI 5.1?
This may be a long shot, but a long time ago I had a similar issue and the issue was with the format of the SSO credentials. I think by default the user crendential is defined as <USER>, changing it to <USERNAME> worked in my instance.