Multisite Privacy + Domain Mapping = Can't log in to site

Hi guys:

I've got a client site on my network. They've mapped a custom domain to their site, and want to set the site to an enhanced privacy level (It's a youth group site).

Since the domain mapping has taken, they can no longer log into the site when any of the enhanced privacy options are selected.

They want to have it set to "All users must enter this password". Entering the correct password never logs you into the site.

As network admin, I can see the site when I visit in a browser where I'm already logged into the network. However, if I attempt to visit the site from an incognito tab, I cannot log into either the client's site or my network from their custom domain.

Any suggestions?