There are possibly many reasons for extended authentication with Active Directory (AD) to fail for VPN client, but one of the common reasons is the Do not require Kerberos pre-authentication setting under the user profile on the AD.
The Do not require Kerberos pre-authentication setting overrides the default setting that the Kerberos Key Distribution Center requires all accounts to use pre-authentication. The default setting makes offline password-guessing attacks very difficult. You can choose to override the default setting for individual accounts when necessary for compatibility with other implementations of the protocol.
Complete these steps in order to resolve this issue:
Open Active Directory Users and Computers.
In the console tree, click Users, or choose the folder that contains the user account.
Right-click the user account, and then choose Properties.
On the Account tab, scroll through the Account options and choose the Do not require Kerberos pre-authentication checkbox, and then click OK.