That was it. Must have been getting it confused on what credentials to use. I think the authentictype.secure is applied by default. If so then it was probably trying to pass the logon credentials when trying to make the new user. By setting it to none it uses the application pool account to create the user.

That is, if I understand it correctly...

Still, pretty interesting stuff.

 Thanks for all the help!