Enabling webserver_auth on IIS with integrated authentication results in losing admin rights and makes account inaccessible.

This issue was alluded to in comment 5 on http://drupal.org/node/22981 and may be related to problems encountered in nodes 284515 and 239101. However, I did not see an elaboration on how the problem manifests itself to the user.

On a freshly installed Drupal on IIS where the drupal admin user name was set to the same value as the IIS authenticated user (assume username is drupal-admin), enabling webserver_auth create a new unprivileged account (DOMAIN\drupal-admin). The session will no longer have admin rights and attempting to log in from new browser windows will authenticated as the new unprivileged user. At this point, it appears impossible to restore admin rights without doing directly into the database and I was not able to find a reliable repair.

The situation can be preempted by changing the username in the database prior to enabling webserver_auth, however \ is not an acceptable character in the username forms, so the name must be changed directly in the database.

mysql>update users set name = "DOMAIN\\drupal-admin" where uid=1;

If that is done just before enabling webserver_auth, the session will still have admin rights after enabling webserver_auth. Whenever that user is seen, the user name will be displayed as DOMAIN\drupal-admin, however new accounts will not have the domain name.

The issue appears to be that the the call to user_external_login_register in webserver_auth_init starts with a user name with the domain name by eventually in its calling stack encounters webserver_auth_user where the username would have been cleaned up. Processing the user name before calling user_external_login_register appears to avoid the issue.