the user is asking for a dynamicToken in his proxy.config without even specifying credentials. they'll need to hard-code a long-term token in the proxy.config instead and retest directly in the browser before attempting to access within their app. (ie. http://server/proxy.ashx?http://server/arcgis/rest/secure/MapServer).
if the proxy can display the secure resource directly in the browser, it should appear in their app as well.
can you try using a hardcoded long term token instead?