ah! you really cannot play with User-Name - as you have found, the client
doesnt like that to be changed. what you want to do is copy User-Name to Stripped-User-Name and then play with Stripped-User-Name - and use that in the rest of the stages.
how do i copy User-Name to something else?what i ended up doing (it's not super pretty, but works) is using Hints and if prefix == "host" (as machines auth as host/blahblah) then i set a new attribute called domain and use that for the auth, and if i get a real domain as the prefix i just assign that as the attribute domain...not pretty but it works.
Joe