This statement:
OS auth. won't work because they are not on our domain network, so their OS login/AD login wouldn't be recognized on our network.
appears to contradict this statement:
type in the active directory user we created for them in our domain in the login prompt, and it connects.
The latter statement strongly implies the user does have an AD login in your organization, so which is it?