Because of the way our dual-factor authentication system works, the NAP/RRAS server resides in it's own domain (we'll call it VPN_DOMAIN). However, clients that connect in are on a different domain (CLIENT_DOMAIN). When a laptop, for example, connects the VPN and then say, browses to a network share on a server in CLIENT_DOMAIN, the client automatically passes the VPN_DOMAIN credentials to the network share instead of the credentials they used to log onto their laptop on CLEINT_DOMAIN (cached from the last time they authenticated). So the clients receive a Access Denied message because it used the wrong credentials to authenticate with the server.
Is there a way I can tell Windows to not use VPN_DOMAIN credentials for access to network resources and instead always use the credentials they used to log into their machine (i.e. CLIENT_DOMAIN)?