The group expansion is one of the web sites you are supposed to include in your web publishing rules. By chance is that site published but not with the proper authentication? You should be able to see the url passed through in-band provisioning in the client traces (start run tracing should open the folder), once you find the url you can try connecting to it directly and see if this isn't the issue to solve.
Tom