I'm posting an answer to my own question to confirm to future readers what the lack of other answers already implies- don't do this.
I think the core of my issue is that I'm trying to have an anonymous process (website session run under system account) identify itself to the recipient (WCF service) in a way not supported by Microsoft / Active Directory (nor most sane security strategists). I was trying to pass an identity within the content of the communication instead of as part of the communication protocol. In my crash course on network and system security, this would be a very dangerous strategy.
In short, one end requires authentication to Active Directory (3rd party software) while the other end requires anonymity (web site session).
Going forward, we have two possible solutions- build our own security around the communications so that we can pass Active Directory name / passwords as safe as possible, or convince the 3rd party vendor to relax their authentication requirements (i.e. ticketing agent).