Confirmed: replacing occurrences of <allow_active>auth_admin_keep</allow_active> with <allow_active>yes</allow_active> does make the problem disappear. There is more than one occurrence of this line. I don't know what difference this actually makes from a policykit / security standpoint -- but it does mean that I can mount my internal windows drives without a password now.
Confirmed: replacing occurrences of <allow_ active> auth_admin_ keep</allow_ active> with <allow_ active> yes</allow_ active> does make the problem disappear. There is more than one occurrence of this line. I don't know what difference this actually makes from a policykit / security standpoint -- but it does mean that I can mount my internal windows drives without a password now.