Crayon makes use of the "ajaxurl" parameter:
It's possible you've password protected wp-admin with htaccess. The only component which uses this is the Tag Editor, which can be displayed in TinyMCE boxes (e.g. comments) on the frontend (see the Crayon settings page, under Tag Editor). If you uncheck "Display the Tag Editor in any TinyMCE instances on the frontend (e.g. bbPress)" it should stop asking for a password, but since this is the accepted practice to make AJAX calls to the admin you may want to have a whitelist for that file.