This turns out to have been a permission problem/training issue. I was logging into the Web Client using the local computer Administrator not the Admin@System-Domain. Correcting that and getting my domain information right seems to work. Why it didn't work when I did it at the CLI, I don't know. I also at some point started running the SSO service as an AD user so that may have contributed to things.
In any case, works now.