I have an ASP.NET application that makes use of Ajax Control Toolkit. Everything was working fine until I decided to implement authentication on application level using HttpModules. It's basically about authenticating each request to your application with one piece of code - before each request is processed the code defined in appropriate HttpModule is executed. You can read more on that here or here.
I've discovered that ACT was dynamically loading additional .resx files from the server. The dynamic requests (sort of Ajax calls) didn't contain appropriate parameters so they were rejected.
I've added additional if clause to my authentication code that was allowing all requests to .axd files to pass, regardless parameters. I could do that since none of the files created by me was in that format and I didn't have to care about authentication when such files are requested. Of course, I'm open for suggestions how to resolve this in cleaner way.