We were setting up a brand-new SQL Server 2022 instance and couldn’t connect remotely using valid Windows credentials. Every attempt gave us the same error: “Login is from an untrusted domain and cannot be used with Windows authentication.” The client only has one domain. Permissions and firewalls checked out. Local connections with domain accounts worked fine. So why was the server rejecting us from every remote machine, no matter how we connected? The answer turned out to be a change in Windows Server 2025 that more and more DBAs are going to run into.
My advice for every DBA is as follows: make sure you have at least a rudimentary understanding of SPNs, including what they are, what can go wrong when they aren’t set correctly, what “set correctly” even means, and how to set them. You don’t need to be an expert on Kerberos, but I think you do need to be a technician who can note a specific error code and troubleshoot the issue from there.
If you ever had to deal with SSRS or SSIS double-hop issues, you’ve likely already dealt with SPNs in some fashion. Just bite the bullet and spend a few hours boning up on the topic.