+1, I'm rather curious about that restriction and didn't find anything enlightening in BOL, which states:
The WITH LOGIN clause enables the remapping of a user to a different login. Users without a login, users mapped to a certificate, or users mapped to an asymmetric key cannot be re-mapped with this clause. Only SQL users and Windows users (or groups) can be remapped. The WITH LOGIN clause cannot be used to change the type of user, such as changing a Windows account to a SQL Server login.
The name of the user will be automatically renamed to the login name if the following conditions are true.
Does that mean that, should we end up with a user that is not mapped to any logins, the only recourse is to drop that user and recreate it as mapped?