User using our client to authenticate with our servers are met with the 4XX errors

I am currently debugging an issue with one user unable to communicate with our auth servers. This issue is important to us because it's one user, which likely could stem to more users as we grow.

This is the method I use to debug his issue.

List<string> headers = new List<string>();
HttpWebRequest webRequest = (HttpWebRequest)WebRequest.Create(url);
webRequest.CookieContainer = new CookieContainer();
webRequest.AllowAutoRedirect = false;
using (HttpWebResponse webResponse = (HttpWebResponse)webRequest.GetResponse())
{
    headers.Add("Status Code: " + (int)webResponse.StatusCode);
    headers.Add("Status Desc: " + webResponse.StatusDescription);
    foreach (string key in webResponse.Headers.Keys)
    {
        if (!key.ToString().Equals("Location"))
        {
            var value = webResponse.Headers[key];
            headers.Add(key + ": " + value);
        }
    }
}
// Try-catch statements here, which print out "Error Message: " + ex.Message

The error I have been receiving when he requests our servers are:

enter image description here

Additionally, I have used differently HTTP(S) protocols and webRequest.XXXXX settings but to no avail - the errors are all in the 40X range.

enter image description here

I am aware that the 4XX class of status codes are intended for cases in which the client seems to have errored.

403 Forbidden indicates that the request was a valid request, but the server is refusing to respond to it.

407 Proxy Authentication Required indicates the client must first authenticate itself with the proxy.

One thing I am not entirely sure is, who the culprit to this issue? Is it:

  1. The user's firewall settings?
  2. The settings to our authentications servers rejecting this user?
  3. The request settings?

Someone in a previous thread suggested I ask the user installing Fiddler to sniff the requests and responses, but I am feeling uncomfortable having him configure the things that Fiddler asks you to accept in order to use some of its features, for example, HTTPS. Are there alternatives to how I can debug this?