I noticed in my eventlog that SharePoint often encountered an error with error ID:7888.
A runtime Exception was detected.Details below
Message: Windows NT user or user group 'demo.local/admin' not found.Check the name again.
After some research i discovered that SharePoint doesn't like the notation dome.local/username at all.
Microsoft typically doesn't do too well with FQDN\ServiceAccount syntax.
Since SharePoint was using that somehow (either in the application pool or service, etc), it was giving you that error message.
SharePoint in particular only wants Application Pool accounts to be configured in the NETBIOSDN\ServiceAccount syntax, so it can easily parse out the domain name.
As to why UPNs don't work…I assume it is so fewer LDAP queries are required to get your system up and running as quickly as possible, and the same goes for FQDN syntax.
Change the credentials in the IIS manager:
properties of the pool -> identity -> change demo.local\ to demo\ and reset the IIS.
The error never returned to my eventlog.
hope this helps.