AJAX calls don't have credentials attached by default. Can you post the code you're using to make the actual AJAX calls on the client side?
I'm assuming here the entire site is using Windows auth and not just a subset. If you're using legacy ASP.NET code then look in the web.config
for the location
elements. These determine which URLs need authentication and which do not.