In a nutshell we have a windows user account from one domain (userdomain) using remote desktop of an app server in a different domain (appdomain). The user then attempts to Windows authenticate to a SQL server (appdomain) on the same domain as the app server but gets a message saying "account is from an untrusted domain and cannot be used with windows authentication."
The user account has permissions in the target SQL server and can be connected to directly from the user's PC (userdomain) via windows authentication.
The app server and target SQL server are Windows 2003 standard edition, the SQL server being SQL 2005 standard edition.
The connection attempts are via ODBC using the "sql server" driver.
There is another SQL server (SQL 2008 ent) on windows 2008R2 Enterprise (appdomain) which can be connected to via windows authentication from the app server remote desktop. Also, if the user account uses remote desktop onto the windows 2008R2 server, it can then successfully windows authenticate to the original SQL server. With this and the PC connection, it seems to imply that the relevant forest/domain trusts are in place and that the issue is around the target SQL server in some way.
The SQL server service is running as a domain account. There are SPNs for the SQL server , when I do : setspn -L" appdomain\SQLServiceAccount" I get:
NB. users which are in appdomain i.e. the same as the app server and the sql server can connect to the SQL server from remote desktop on the app server without issue.