If users are getting an authentication prompt when accessing domain resources through Always On VPN, make sure that Domain Controllers have the appropriate digital certificates. The certificate must have KDC Authentication, Smart Card Logon, Server Authentication and Client Authentication in the Enhanced Key Usage (EKU) field. The pre-existing Kerberos Authentication can be duplicated and used as a baseline template for the certificates.
References: