Users are intermittently prompted for credentials when they connect to Internet via ProxySG or ASG. It could be caused by Netlogon Bottleneck (or Authentication Bottleneck).
For more information about the issue, please refer to Microsoft Support
 

NOTE: Netlogon service on Domain Controller is responsible for creating Secure Channel between Domain Controllers and clients (ProxySG/ASG in this case). 
Secure Channel is created to pass the authentication packets.

When the issue is happening, check following data to confirm the issue is caused by Netlogon Bottleneck:

1.  In Event Log, there are many Authentication Failed with code 40404

"Authentication failed with 40404 (0x00009DD4) (symbol: ''): user 'USER-NAME' (domain DOMAIN-NAME) - user considered 'unknown'" 

2.  Enable LSA/Debug

Go to https://<proxysg>:8082/LSA/Debugmask > enable all debug masks apart from MODULE_SGOS_FDIO and MODULE_LWIO > click Set Mask to apply the change > click View Debug Log
Wait for the issue occurs again > click Update button > look for Tread message

"No Schannel slots available. Waiting for next available slot."

3. Check the value of "Available (unused) connections"

Go to https://:8082/LSA/Stats 
The value of "Connections in use" is the number of Schannel configured on ProxySG
You might find the value of "Available (unused) connections" is 0.

ProxySG or ASG joins a Windows Domain, IWA_Direct/NTLM method is used for user authentication, 

There is no Schannel available for Netlogon client, i.e. ProxySG or ASG, to use Netlogon service on Domain Controller.

1. Go to your AD/DC team to check MaxConcurrentAPI registry value of DCs, if it is 2, increase it to 10 to provide ProxySG or ASG more Schannel for authentication connections. 

Once the MaxConcurrentApi value in DC is increased, go to Management Console > Configuration > Authentication > Windows Domain > highlight the Domain > click Edit

increase Maximum number of concurrent Schannel connections to 10.

2. For Explicit deployment, the issue can be eased by using IP-Surrogate.

NOTE: IP-Surrogate cannot be used for shared machines, Citrix , NATed environment.

Go to Management Console > Configuration > Policy > Visual Policy Manager > Launch VPM > Web Authentication Layer > Action > Mode: Proxy IP

3. The ideal and long term solution here is to implement IWA_Direct/Kerberos authentication which is recommended for more efficient authentication method and that will also minimize the NTLM authentication traffic to DCs.