. What is the recommended to have users in alwayon env whether to have AD user or database user for the application to connect through AG Listener (Expecting to work smoothly with no any issue with the permission )
I think you need to first understand difference between user and login. To simply put A user uses a login to connect to database. A login is server level object while user is database level object. When you mirror, restore, replicate a database users move but logins do not as they are stored in master database. Also note that
Security Identifier( SID) binds users to login, its not binded by any name which most people think.
If you create a AD account ( a domain account) its SID will be same through out the domain. And further if this AD account is added as login in SQL Server and mapped to a user they would be binded by this SID. Now post failover, this AD login will exists on secondary replica, or mirror database log secondary logshipped database if you have created it before hand ( you can do that as logins are created in master database) and
will automatically bind with user present in database and you would not see login failure or orphaned user. So to solve your problem and if you really do not want to use
sp_change_users_login to map logins to users I suggest you ONLY use AD account as login in SQL Server. This AD account will work just fine with listener also.